Cisco PIX-515-RPS - PIX 515-R - Firewall Manual de usuario descargar pdf (Pagina 10)

Cisco PIX Security Appliance Release Notes Version 7.2

OL-10104-01

New Features

• (Optional) Requests access policies from the ACS server for a clientless host.

As an ACS client, the security appliance supports the following:

• EAP/RADIUS

• RADIUS attributes required for NAC

NAC on the security appliance differs from NAC on Cisco IOS Layer 3 devices (such as routers) where

routers trigger PV based on routed traffic. The security appliance enabled with NAC uses an IPsec VPN

session as the trigger for PV. Cisco IOS routers configured with NAC use an Intercept ACL to trigger

PV based on traffic destined for certain networks. Because external devices cannot access the network

behind the security appliance without starting a VPN session, the security appliance does not need an

intercept ACL as a PV trigger. During PV, all IPsec traffic from the peer is subject to the default ACL

configured for the peer’s group.

Unlike the Cisco VPN 3000 Concentrator Series, NAC on the security appliance supports stateless

failover, initialization of all NAC sessions in a tunnel group, revalidation of all NAC sessions in a tunnel

group, and posture validation exemption lists configured for each tunnel group. NAC on the security

appliance does not support non-VPN traffic, IPv6, security contexts, and WebVPN.

By default, NAC is disabled. You can enable it on a group policy basis.

For more information, see the “Configuring Network Admission Control” chapter in the Cisco Security

Appliance Command Line Configuration Guide. For a complete description of the command syntax, see

the Cisco Security Appliance Command Reference.

L2TP Over IPsec

Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the public

IP network to communicate securely with private corporate network servers. L2TP uses PPP over UDP (port

1701) to tunnel the data. L2TP is based on the client/server model. The function is divided between the

L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a

network gateway such as a router, while the LAC can be a dial-up Network Access Server (NAS), or a PC

with a bundled L2TP client such as Microsoft Windows 2000.

L2TP/IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec

VPN and firewall services in a single platform.

The primary benefit of configuring L2TP with IPsec in a remote access scenario is that remote users can

access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access

from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN

access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client

software, such as Cisco VPN client software, is required.

For more information, see the “Configuring L2TP over IPSec” chapter in the Cisco Security Appliance

Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco

Security Appliance Command Reference.

OCSP Support

The Online Certificate Status Protocol (OCSP) provides an alternative to CRL for obtaining the

revocation status of X.509 digital certificates. Rather than requiring a client to download a complete and

often large certificate revocation list, OCSP localizes the certificate status on a Validation Authority,

which it queries for the status of a specific certificate.

1 2 ... 5 6 7 8 9 10 11 12 13 14 15 ... 27 28

Comentarios a estos manuales

Sin comentarios

Cisco PIX-515-RPS - PIX 515-R - Firewall Manual de usuario Pagina 10

Comentarios a estos manuales

Relacionado con productos y manuales para Los Sistemas De Control De Acceso De Seguridad Cisco PIX-515-RPS - PIX 515-R - Firewall