Cisco ASA 5505 Configuration Manual page 1281

Configuring IKE, Load Balancing, and NAC
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec
security association. To configure the adaptive security appliance for virtual private networks, you set
global IKE parameters that apply system wide, and you also create IKE policies that the peers negotiate
to establish a VPN connection.
Load balancing distributes VPN traffic among two or more adaptive security appliances in a VPN cluster.
Network Access Control (NAC) protects the enterprise network from intrusion and infection from
worms, viruses, and rogue applications by performing endpoint compliance and vulnerability checks as
a condition for production access to the network. We refer to these checks as posture validation.
This chapter describes how to configure IKE, load balancing, and NAC. It includes the following
sections:
Setting IKE Parameters
Creating IKE Policies
Configuring IPsec
Configuring Load Balancing
Setting Global NAC Parameters
Configuring Network Admission Control Policies
Setting IKE Parameters
This pane lets you set system wide values for VPN connections. The following sections describe each of
the options.
Enabling IKE on Interfaces
You must enable IKE for each interface that you want to use for VPN connections.
Enabling IPsec over NAT-T
NAT-T lets IPsec peers establish both remote access and LAN-to-LAN connections through a NAT
device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing
NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec
traffic when necessary. This feature is disabled by default.
•
OL-20339-01
The adaptive security appliance can simultaneously support standard IPsec, IPsec over TCP, NAT-T,
and IPsec over UDP, depending on the client with which it is exchanging data.
C H A P T E R
Cisco ASA 5500 Series Configuration Guide using ASDM
63
63-1