User's Manual
Table Of Contents
- Getting Started
- Wizards
- Using the Startup Wizard
- Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
- Using the DMZ Wizard to Configure the DMZ Settings
- Using the Dual WAN Wizard to Configure the WAN Redundancy Settings
- Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
- Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access
- Status
- Networking
- Configuring IP Routing Mode
- Port Management
- Configuring the WAN
- Configuring the WAN Redundancy
- Configuring the VLAN
- Configuring the DMZ
- Configuring the Zones
- Configuring the Routing
- Dynamic DNS
- IGMP
- VRRP
- Configuring the Quality of Service
- Address Management
- Service Management
- Wireless Configuration for ISA550W and ISA570W
- Firewall
- Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
- Configuring the Firewall Schedule
- Firewall Access Rule Configuration Examples
- Configuring the NAT Rules to Securely Access a Remote Network
- Configuring the Session Settings
- Configuring the Content Filtering to Control Access to Internet
- Configuring the MAC Filtering to Permit or Block Traffic
- Configuring the IP/MAC Binding to Prevent Spoofing
- Configuring the Attack Protection
- Configuring the Application Level Gateway
- Security Services
- VPN
- About VPN
- Configuring the Cisco IPSec VPN Server
- Configuring the Cisco IPSec VPN Client
- Configuring the Site-to-Site VPN
- Configuring the SSL VPN
- Elements of the SSL VPN
- Configuration Tasks to Establish a SSL VPN Tunnel
- Installing the Cisco AnyConnect VPN Client on User’s PC
- Importing the Certificates for User Authentication
- Configuring the SSL VPN Users
- Configuring the SSL VPN Gateway
- Configuring the SSL VPN Group Policies
- Configuring the SSL VPN Portal
- Configuring the L2TP Server
- Configuring the VPN Passthrough
- Viewing the VPN Status
- User Management
- Device Management
- Remote Management
- Administration
- SNMP
- Configuration Management
- Firmware Management
- Log Management
- Managing the Security License
- Managing the Certificates for Authentication
- Configuring the Email Alert Settings
- Configuring the RADIUS Servers
- Configuring the Time Zone
- Device Discovery
- Diagnosing the Device
- Measuring and Limiting Traffic with the Traffic Meter
- Configuring the ViewMaster
- Configuring the CCO Account
- Configuring the Device Properties
- Configuring the Debug Settings
- Troubleshooting
- Technical Specifications and Environmental Requirements
- Factory Default Settings
- Where to Go From Here
VPN
Configuring the Site-to-Site VPN
Cisco ISA500 Series Integrated Security Appliance Administrator Guide 253
8
• IKE Policy: Choose the IKE policy used for the IPSec VPN tunnel. If the IKE
policy is not in the list, go to the IKE Policies page to create new IKE policies.
See Configuring the IPSec IKE Policies, page 254.
• Transform: Choose the transform policy used for the IPSec VPN tunnel. If the
transform policy is not in the list, go to the Transform Policies page to create
new transform policies. See Configuring the IPSec Transform Policies,
page 256.
• Security Time: Enter the lifetime of the IPSec Security Association (SA). The
lifetime of the IPSec SA represents the interval after which the IPSec SA
becomes invalid. The IPSec SA is renegotiated after this interval. The default
is 1 hour.
STEP 5 In the VPN Failover tab, enter the following information:
• WAN Failover Enable: Click On to enable WAN Failover for the IPSec VPN
connection, or click Off to disable it. If you enable WAN Failover, the backup
WAN interface ensures that VPN traffic rolls over to the backup link
whenever the primary link fails. The security appliance will automatically
update the local WAN gateway for the VPN tunnel based on the
configurations of the backup WAN link. For this purpose, Dynamic DNS has
to be configured because the IP address will change due to failover, or let the
remote gateway use dynamic IP address.
NOTE To enable the WAN Failover for Site-to-Site VPN, make sure that the
secondary WAN interface was configured and the WAN redundancy
was set as the Failover or Load Balancing mode.
• Redundant Gateway: Click On to enable Redundant Gateway, or click Off to
disable it. If you enable Redundant Gateway, when the connection of remote
gateway is down, the backup connection automatically becomes active. A
backup policy comes into effect only if the primary policy fails.
- Select Backup Policy: Choose a policy to act as a backup of this policy.
- Failback Time to Switch: Enter the number of seconds that must pass to
confirm that the primary tunnel has recovered from a failure. If the primary
tunnel is up for the specified number of seconds, the security appliance
will switch to the primary tunnel by disabling the backup tunnel.