Cisco ASA 5505 Configuration Manual page 667

Chapter 31 Configuring AAA Servers and the Local Database
By default, the Inherit check box is checked for each option, which means the user account inherits the
settings from the VPN policy. To override each setting, uncheck the Inherit check box, and enter a new
value:
Choose a group policy from the list.
a.
b. Specify which tunneling protocols are available for use, or whether the value is inherited from the
group policy. Check the desired Tunneling Protocols check boxes to choose the VPN tunneling
protocols that are available for use. Only the selected protocols are available for use. The choices
are as follows:
–
–
–
–
Note
c. Specify which filter (IPv4 or IPv6) to use, or whether to inherit the value from the group policy.
Filters consist of rules that determine whether to allow or reject tunneled data packets coming
through the adaptive security appliance, based on criteria such as source address, destination
address, and protocol. To configure filters and rules, see the Configuration > VPN > VPN General
> Group Policy pane.
Click Manage to display the ACL Manager pane, on which you can add, edit, and delete ACLs and
d.
ACEs.
Specify whether to inherit the tunnel group lock or to use the selected tunnel group lock, if any.
e.
Selecting a specific lock restricts users to remote access through this group only. Tunnel Group Lock
restricts users by checking if the group configured in the VPN client is the same as the user's
assigned group. If it is not, the adaptive security appliance prevents the user from connecting. If the
Inherit check box is not checked, the default value is None.
Specify whether to inherit the Store Password on Client System setting from the group. Uncheck the
f.
Inherit check box to activate the Yes and No radio buttons. Click Yes to store the login password on
the client system (potentially a less-secure option). Click No (the default) to require the user to enter
the password with each connection. For maximum security, we recommend that you not do allow
password storage. This parameter has no effect on interactive hardware client authentication or
individual user authentication for a VPN 3002.
To change Connection Settings, uncheck the Inherit check box, and enter a new value:
Step 3
If the Inherit check box is not checked, you can select the name of an existing access hours policy,
a.
if any, to apply to this user or create a new access hours policy. The default value is Inherit, or, if the
Inherit check box is not checked, the default value is Unrestricted.
OL-20339-01
IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most
secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections
can use IPSec.
VPN via SSL/TLS (Clientless SSL VPN) uses a web browser to establish a secure
remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client.
Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including
corporate websites, web-enabled applications, NT/AD file shares (web-enabled), e-mail, and
other TCP-based applications from almost any computer that can reach HTTPS Internet sites.
The SSL VPN Client lets users connect after downloading the Cisco AnyConnect Client
application. Users use a clientless SSL VPN connection to download this application the first
time. Client updates then occur automatically as needed whenever the user connects.
L2TP over IPSec allows remote users with VPN clients provided with several common PC and
mobile PC operating systems to establish secure connections over the public IP network to the
adaptive security appliance and private corporate networks.
If no protocol is selected, an error message appears.
Cisco ASA 5500 Series Configuration Guide using ASDM
Adding a User Account
31-21