34-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 34 Configuring Easy VPN Services on the ASA 5505
Comparing Tunneling Options
This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within
the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN
hardware client send packets that are larger than the MTU size.
The following example shows how to configure the Easy VPN hardware client to use TCP-encapsulated
IPSec, using the default port 10000, and to let it send large packets over the outside interface:
hostname(config)# vpnclient ipsec-over-tcp
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
The next example shows how to configure the Easy VPN hardware client to use TCP-encapsulated
IPSec, using the port 10501, and to let it send large packets over the outside interface:
hostname(config)# vpnclient ipsec-over-tcp port 10501
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
To remove the attribute from the running configuration, use the no form of this command, as follows:
no vpnclient ipsec-over-tcp
For example:
hostname(config)# no vpnclient ipsec-over-tcp
hostname(config)#
Comparing Tunneling Options
The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a
combination of the following factors:
• Use of the split-tunnel-network-list and the split-tunnel-policy commands on the headend to
permit, restrict, or prohibit split tunneling. (See the Creating a Network List for Split-Tunneling,
page 30-41 and “Setting the Split-Tunneling Policy” section on page 30-41, respectively.)
Split tunneling determines the networks for which the remote-access client encrypts and sends data
through the secured VPN tunnel, and determines which traffic it sends to the Internet in the clear.
• Use of the vpnclient management command to specify one of the following automatic tunnel
initiation options:
–
tunnel to limit administrative access to the client side by specific hosts or networks on the
corporate side and use IPSec to add a layer of encryption to the management sessions over the
HTTPS or SSH encryption that is already present.
–
clear to permit administrative access using the HTTPS or SSH encryption used by the
management session.
–
no to prohibit management access
Caution Cisco does not support the use of the vpnclient management command if a NAT device is
present between the client and the Internet.
• Use of the vpnclient mode command to specify one of the following modes of operation:
–
client to use Port Address Translation (PAT) mode to isolate the addresses of the inside hosts,
relative to the client, from the enterprise network.
To Next Page
Loading...
Need help?
General