CHAPTER
1-1
Cisco ASA Series CLI Configuration Guide
1
Setting General VPN Parameters
The ASA implementation of virtual private networking includes useful features that do not fit neatly into
categories. This chapter describes some of these features. It includes the following sections:
• Configuring VPNs in Single, Routed Mode, page 1-1
• Configuring IPsec to Bypass ACLs, page 1-1
• Permitting Intra-Interface Traffic (Hairpinning), page 1-2
• Setting Maximum Active IPsec or SSL VPN Sessions, page 1-3
• Using Client Update to Ensure Acceptable IPsec Client Revision Levels, page 1-4
• Implementing NAT-Assigned IP to Public IP Connection, page 1-6
• Configuring Load Balancing, page 1-12
• Configuring VPN Session Limits, page 1-17
• Configuring the Pool of Cryptographic Cores, page 1-19
Note SSL VPN in this chapter refers to the SSL VPN client (AnyConnect 2.x or its predecessor, SVC 1.x),
unless clientless (browser-based) SSL VPN is specified.
Configuring VPNs in Single, Routed Mode
VPNs work only in single, routed mode. VPN functionality is unavailable in configurations that include
either security contexts, also referred to as multimode firewall, or Active/Active stateful failover.
The exception to this caveat is that you can configure and use one connection for administrative purposes
to (not through) the ASA in transparent mode.
Configuring IPsec to Bypass ACLs
To permit any packets that come from an IPsec tunnel without checking ACLs for the source and
destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.
You might want to bypass interface ACLs for IPsec traffic if you use a separate VPN concentrator behind
the ASA and want to maximize the ASA performance. Typically, you create an ACL that permits IPsec
packets by using the access-list command and apply it to the source interface. Using an ACL is more
secure because you can specify the exact traffic you want to allow through the ASA.
To Next Page
Loading...
Need help?
General
