Configuring Ipsec Remote-Access Tunnel Group Ipsec Attributes - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Tunnel Groups
The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA
(E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality),
N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname),
SP (State/Province), T (Title), and UID (User ID)
Step 12
Specify whether to require a successful authorization before allowing a user to connect. The default is
not to require authorization.
hostname(config-tunnel-ipsec)# authorization-required
hostname(config-tunnel-ipsec)#
Configuring IPSec Remote-Access Tunnel Group IPSec Attributes
To configure the IPSec attributes for a remote-access tunnel group, do the following steps. The following
description assumes that you have already created the IPSec remote-access tunnel group. IPSec
remote-access tunnel groups have more attributes than IPSec LAN-to-LAN tunnel groups:
Step 1
To specify the attributes of an IPSec remote-access tunnel-group, enter tunnel-group ipsec-attributes
mode by entering the following command. The prompt changes to indicate the mode change:
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)#
This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the
remote-access tunnel-group IPSec attributes.
For example, the following command designates that the tunnel-group ipsec-attributes mode commands
that follow pertain to the tunnel group named TG1. Notice that the prompt changes to indicate that you
are now in tunnel-group ipsec-attributes mode:
hostname(config)# tunnel-group TG1 type ipsec-ra
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)#
Specify the preshared key to support IKE connections based on preshared keys. For example, the
Step 2
following command specifies the preshared key xyzx to support IKE connections for an IPSec remote
access tunnel group:
hostname(config-tunnel-ipsec)# pre-shared-key xyzx
hostname(config-tunnel-ipsec)#
Step 3
Specify whether to validate the identity of the peer using the peer's certificate:
hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req.
For example, the following command specifies that peer-id validation is required:
hostname(config-tunnel-ipsec)# peer-id-validate req
hostname(config-tunnel-ipsec)#
Specify whether to
Step 4
Specify whether to enable sending of a certificate chain. The following command includes the root
Step 5
certificate and any subordinate CA certificates in the transmission:
Cisco Security Appliance Command Line Configuration Guide
30-10
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
