Easy VPN Server

Table Of Contents

Easy VPN Server

Create an Easy VPN Server

Welcome to the Easy VPN Server Wizard

Interface and Authentication

Group Authorization: Group Policy Lookup

User Authentication (XAuth)

Group Authorization: User Group Policies

General Group Information

DNS and WINS Configuration

Split Tunneling

Client Settings

User Authentication (XAuth)

Client Update

Summary

Browser Proxy Settings

Add or Edit Easy VPN Server

Add or Edit Easy VPN Server Connection

Restrict Access

Group Policies Configuration

Local Pools

Add or Edit IP Local Pool

Easy VPN Server

The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are "pushed" to the client by the server, minimizing configuration by the end user.

The following link provides general information on the Cisco Easy VPN solution, and other links for more specific information:

http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html

Create an Easy VPN Server

This wizard will guide you through the necessary steps to configure an Easy VPN Server on this router.

This wizard will guide you in performing the following tasks to successfully configure an Easy VPN Server on this router.

•Choosing the interface on which the client connections will terminate

•Configuring the group policy lookup method

•Configuring IKE policies

•Configuring user authentication

•Configuring group policies on the local database, if needed

•Configuring an IPSec transform set

Create an Easy VPN Server

Click to Create an Easy VPN server configuration on your router.

Launch the Easy VPN Server Wizard Button

Click to start the wizard.

Welcome to the Easy VPN Server Wizard

This window summarizes the tasks you will perform when using the wizard.

Interface and Authentication

This window lets you choose the interface on which you want to configure the Easy VPN Server.

If you choose an interface that is already configured with a site-to-site IPSec policy, SDM displays a message that an IPSec policy already exists on the interface. SDM uses the existing IPSec policy to configure the Easy VPN Server.

If the chosen interface is part of an Easy VPN Remote, GREoIPSec, or DMVPN interface, SDM displays a message to choose another interface.

Details

Click this button to obtain details about the interface you choose. The details window shows any access rules, IPSec policies, NAT rules, or inspection rules associated with the interface.

This button is dimmed when no interface has been chosen.

Authentication

Choose preshared keys, digital certificates, or both.

If you choose preshared keys, you must enter a key value when you configure the Add Group Policy general setup window.

If you choose digital certificates, the preshared keys fields does not appear in the Add Group Policy general setup window.

If you choose both preshared keys and digital certificates, entering a key value in the Add Group Policy general setup window is optional.

Group Authorization: Group Policy Lookup

This window lets you define a new AAA authorization network method list for group policy lookup or to choose an existing network method list.

Local Only

This option allows you to create a method list for the local database only.

RADIUS Only

This option allows you to create a method list for a RADIUS database.

RADIUS and Local Only

This option allows you to create a method list for both RADIUS and local database.

What Do You Want to Do?

If you want to:

Do this:

Define an AAA method list for both RADIUS and the local database.

When you define method lists for both a RADIUS and local database, the router first looks at the RADIUS server and then the local database for group authentication.

Choose RADIUS and Local Only. Then click Next.

Define an AAA method list for the local database only.

When you define an AAA method list for the local database, the router looks at the local database for group authentication.

Choose Local only. Then click Next.

Choose any of the existing method lists for group authentication.

When you want to define AAA method lists, you might consider choosing an already existing method list.

Choose Choose an existing AAA method list. Then click Next.

User Authentication (XAuth)

You can configure user authentication on Easy VPN Server. You can store user authentication details on an external server such as a RADIUS server or a local database or on both. An AAA login authentication method list is used to decide the order in which user authentication details should be searched.

Local Only

This option allows you to add user authentication details for the local database only.

RADIUS and Local Only

This option allows you to add user authentication details for both a RADIUS and local database.

Choose an existing AAA Method List

This option allows you to choose a method list from a list of all method lists configured on the router.

The chosen method list is used for extended authentication.

Add User Credentials Button

Click to add a user account.

User Accounts for XAuth

Add an account for a user you want to authenticate after IKE has authenticated the device.

User Accounts

The user accounts that XAuth will authenticate are listed in this box. The account name and privilege level are visible.

Add or Edit Buttons

Use these buttons to add and edit user accounts. User accounts can be deleted in the Additional Tasks > Router Access > User Accounts/View window.

Note Existing CLI view user accounts cannot be edited from this window. If you need to edit user accounts, go to Additional Tasks > Router Access >User Accounts/CLI View.

Add RADIUS Server

This window lets you add a new RADIUS server or edit or ping an already existing RADIUS server.

Add

Add a new RADIUS server.

Edit

Edit an already exiting RADIUS server configuration.

Ping

Ping an already existing RADIUS server or newly configured RADIUS server.

Group Authorization: User Group Policies

This window allows you to add, edit, clone or delete user group policies on the local database.

This lists already configured group policies.

Group Name

Name given to the user group.

Pool

Name of the IP address pool from which an IP address is assigned to a user connecting from this group.

DNS

Domain Name System (DNS) address of the group.

This DNS address is "pushed" to the users connecting to this group.

WINS

Windows Internet Naming Service (WINS) address of the group.

This WINS address is "pushed" to the users connecting to this group.

Domain Name

Domain name of the group.

This domain name is "pushed" to the users connecting to this group.

Split ACL

The access control list (ACL) that represents protected subnets for split tunneling purposes.

Idle Timer

Disconnecting idle VPN tunnels can help the Easy VPN Server run more efficiently by reclaiming unused resources.

Click the Configure Idle Timer check box and enter a value for the maximum time that a VPN tunnel can remain idle before being disconnected. Enter hours in the left field, minutes in the middle field, and seconds in the right field. The minimum time allowed is 1 minute.

General Group Information

This window allows you to configure, edit and clone group polices.

Please Enter a Name for This Group

Enter the group name in the field provided. If this group policy is being edited, this field is disabled. If you are cloning a group policy, you must enter a new value in this field.

Preshared Key

Enter the preshared key in the fields provided.

The Current key field cannot be changed.

Note You do not have to enter a preshared key if you are using digital certificates for group authentication. Digital certificates are also used for user authentication.

Pool Information

Specifies a local pool of IP addresses that are used to allocate IP addresses to clients.

Create a New Pool

Enter the range of IP addresses for the local IP address pool in the IP Address Range field.

Select from an Existing Pool

Choose the range of IP addresses from the existing pool of IP addresses.

Note This field cannot be edited if there are no predefined IP address pools.

Subnet Mask (Optional)

Enter a subnet mask to send with the IP addresses allocated to clients in this group.

Maximum Connections Allowed

Specify the maximum number of client connections to the Easy VPN Server from this group.

SDM supports a maximum of 5000 connections per group.

What Do You Want to Do?

If you want to:

Do this:

Authenticate the clients associated with the group.

Enter the key in the Preshared Key field.

Create a local pool of IP addresses to be allocated to clients.

Enter the IP address range in the Create a new pool field under the Pool Information area.

Choose a range of IP address from the existing pool to be allocated to clients.

Choose the IP address range from the Select From An Existing Pool field under Pool Information area.

DNS and WINS Configuration

This window allows you to specify the Domain Name Service (DNS) and Windows Internet Naming Service (WINS) information.

DNS

Enter the primary and secondary DNS server IP address in the fields provided. Entering a secondary DNS server address is optional.

WINS

Enter the primary and secondary WINS server IP address in the fields provided. Entering a secondary WINS server address is optional.

Domain Name

Specify the domain name that should be pushed to the Easy VPN client.

What Do You Want to Do?

If you want to:

Do this:

Configure a DNS server.

Check the DNS option. Then enter the primary and secondary DNS server IP addresses in the fields provided.

Configure a WINS server.

Check the WINS option. Enter the primary and secondary WINS server IP addresses in the fields provided.

Specify a name to be pushed to the Easy VPN client.

Enter the domain name in the Domain Name field.

Split Tunneling

This window allows you to enable split tunneling for the user group you are adding.

Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. For example, all traffic sourced from the client is sent to the destination subnet through the VPN tunnel.

You can also specify which groups of ACLs represent protected subnets for split tunneling.

Enable Split Tunneling

This box allows you to add protected subnets and ACLs for split tunneling.

Enter the Protected Subnets

Add or remove the subnets for which the packets are tunneled from the VPN clients.

Choose the Split Tunneling ACL

Choose the ACL to use for split tunneling.

Split DNS

Enter the Internet domain names that should be resolved by your network's DNS server. The following restrictions apply:

•A maximum of 10 entries is allowed.

•Entries must be separated with a comma.

•Do not use spaces anywhere in the list of entries.

•Duplicate entries or entries with invalid formats are not accepted.

Note This feature appears only if supported by your Cisco server's IOS release.

What Do You Want to Do?

If you want to:

Do this:

Enable split tunneling.

Check the Enable Split Tunneling option.

Add a protected subnet.

Choose Enter the Protected Subnets, and then click Add.

Delete a protected subnet.

Choose Enter the Protected Subnets, and then click Delete.

Choose the ACL to be used for split tunneling.

Choose Choose the Split Tunneling ACL, and choose the ACL from the available options.

Use your network's DNS server to resolve certain domain names.

Check the Enable Split Tunneling option and enter the domain names in the field provided. You must also set up subnets or choose an ACL.

Client Settings

This window allows you to configure additional attributes for security policy such as adding or removing a backup server, Firewall Are-U-There, and Include-Local-LAN.

Note Some of the features described below appear only if supported by your Cisco server's IOS release.

Backup Servers

You can specify up to ten servers by IP address or hostname as backup for the Easy VPN server, and order the list to control which servers the router will attempt to connect to first if the primary connection to the Easy VPN server fails.

Add

Click to specify the name or the IP address of an Easy VPN server for the router to connect to when the primary connection fails, and then enter the address or hostname in the window displayed.

Delete

Click to delete a specified IP address or hostname.

Configuration Push

You can specify an Easy VPN client configuration file using a URL and version number. The Easy VPN Server sends the URL and version number to Easy VPN hardware clients requesting that information. Only Easy VPN hardware clients belonging to the group policy you are configuring can request the URL and version number you enter in this window.

Enter the URL of the configuration file in the URL field. The URL should begin with an appropriate protocol, and can include usernames and passwords. The following are URL examples for downloading an upgrade file called sdm.exe:

•http://username:password@www.cisco.com/go/vpn/sdm.exe

•https://username:password@www.cisco.com/go/vpn/sdm.exe

•ftp://username:password@www.cisco.com/go/vpn/sdm.exe

•tftp://username:password@www.cisco.com/go/vpn/sdm.exe

•scp://username:password@www.cisco.com/go/vpn/sdm.exe

•rcp://username:password@www.cisco.com/go/vpn/sdm.exe

•cns:

•xmodem:

•ymodem:

•null:

• flash:sdm.exe

• nvram:sdm.exe

• usbtoken[0-9]:sdm.exe

The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:sdm.exe.

• usbflash[0-9]:sdm.exe

The USB flash port number range is 0-9. For example, for a USB flash attached to USB port 0, the URL is usbflash0:sdm.exe.

• disk[0-1]:sdm.exe

The disk number is 0 or 1. For example, for disk number 0, the URL is disk0:sdm.exe.

•archive:sdm.exe

•tar:sdm.exe

•system:sdm.exe

In these examples, username is the site username and password is the site password.

Enter the version number of the file in the Version field. The version number must be in the range 1 to 32767.

Browser Proxy

You can specify browser proxy settings for Easy VPN software clients. The Easy VPN Server sends the browser proxy settings to Easy VPN software clients requesting that information. Only Easy VPN software clients belonging to the group policy you are configuring can request the browser proxy settings you enter in this window.

Enter the name under which the browser proxy settings were saved, or choose one of the following from the drop-down menu:

•Choose an existing setting...

Opens a window with a list of existing browser proxy settings.

•Create a new setting and choose...

Opens a window where you can create new browser proxy settings.

•None

Clears any browser proxy settings assigned to the group.

Firewall Are-U-There

You can restrict VPN connections to clients running Black Ice or Zone Alarm personal firewalls.

Include Local LAN

You can allow a non-split tunneling connection to access the local subnetwork at the same time as the client.

Perfect Forward Secrecy (PFS)

Enable PFS if it is required by the IPSec security association you are using.

What Do You Want to Do?

If you want to:

Do this:

Add a backup server.

Click Add in the Backup Servers area. Then add the backup server IP address or host name in the window displayed.

Delete a backup server.

Choose the backup server to be deleted from the Backup Server area and click Delete.

Reorder backup servers.

Delete backup servers and recreate them in the order you want.

Enable Firewall Are-U-There.

Check the Firewall Are-U-There option.

Enable Include Local LAN.

Check the Include-Local-LAN option.

Specify the maximum number of client connections allowed for the group that you are creating.

Enter the number in the Maximum Connections Allowed in This Group field.

Choose Browser Proxy Settings

From the drop-down list, choose the browser proxy settings you want to associate with the group.

Note To add new settings, choose Add Browser Settings from the browser settings drop-down menu in the Client Settings window, or go to VPN Components > Easy VPN Server > Browser Proxy Settings and click Add. To delete settings, go to VPN Components > Easy VPN Server > Browser Proxy Settings and click Delete.

Add or Edit Browser Proxy Settings

This window allows you to add or edit browser proxy settings.

Browser Proxy Settings Name

If you are adding browser proxy settings, enter a name that will appear in drop-down menus listing browser proxy settings. If you are editing browser proxy settings, the name field is read-only.

Proxy Settings

Choose one of the following:

•No Proxy Server

You do not want clients in this group to use a proxy server when they use the VPN tunnel.

•Automatically Detect Settings

You want clients in this group to automatically detect a proxy server when they use the VPN tunnel.

•Manual Proxy Configuration

You want to manually configure a proxy server for clients in this group.

If you choose Manual Proxy Configuration, follow these steps to manually configure a proxy server:

Step 1 Enter the proxy server IP address in the Server IP Address field.

Step 2 Enter the port number that proxy server uses for receiving proxy requests in the Port field.

Step 3 Enter a list of IP addresses for which you do not want clients to use the proxy server.

Separate the addresses with commas, and do not enter any spaces.

Step 4 If you want to prevent clients from using the proxy server for local (LAN) addresses, check the Bypass proxy server for local address check box.

Step 5 Click OK to save the browser proxy settings.

User Authentication (XAuth)

This allows you to configure additional attributes for user authentication, such as Group Lock and save Password Attributes.

XAuth Banner

Enter the text for a banner that is shown to users during XAuth requests.

Note This feature appears only if supported by your Cisco server's IOS release.

Maximum Logins Allowed Per User:

Specify the maximum number of connections a user can establish at a time. SDM supports a maximum of ten logins per user.

Group Lock

You can restrict a client to connect to the Easy VPN Server only from the specified user group.

Save Password

You can save extended authentication user name and password locally on the Easy VPN Client.

What Do You Want to Do?

If you want to:

Do this:

Restrict user connection from the specific user group.

Check the Enable group-lock option.

Save user name and password.

Check the Enable save password option.

Specify maximum number of simultaneous connection a user can make to the Easy VPN Server.

Enter the number in the Maximum Logins Allowed Per User field.

Client Update

This window allows you to set up client software or firmware update notifications, and displays existing client update entries. Existing client update entries can be selected for editing or deletion.

Notifications are sent automatically to clients which connect to the server after a new or edited client update configuration is saved. Clients already connected require manual notification. To send a manual IKE notification of update availability, choose a group policy in the group policies window and click the Send Update button. Group clients meeting the client update criteria are sent the notification.

Note The client update window is available only if supported by your Cisco server's IOS release.

Client Type Column

Shows the type of client for which the revision is intended.

Revisions Column

Shows which revisions are available.

URL Column

Gives the location of the revisions.

Add Button

Click to configure a new client update entry.

Edit Button

Click to edit the specified client update entry.

Delete Button

Click to delete the specified client update entry.

Add or Edit Client Update Entry

This window allows you to configure a new client update entry.

Client Type

Enter a client type or choose one from the drop-down menu. Client type names are case sensitive.

For software clients, the client type is usually the operating system, for example, Windows. For hardware clients, the client type is usually the model number, for example, vpn3002.

If you are editing the client update entry, the client type is read-only.

URL

Enter the URL that leads to the latest software or firmware revision. The URL should begin with an appropriate protocol, and can include usernames and passwords.

The following are URL examples for downloading an upgrade file called vpnclient-4-6.exe:

•http://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

•https://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

•ftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

•tftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

•scp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

•rcp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

•cns:

•xmodem:

•ymodem:

•null:

• flash:vpnclient-4.6.exe

• nvram:vpnclient-4.6.exe

• usbtoken[0-9]:vpnclient-4.6.exe

The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:vpnclient-4.6.exe.

• usbflash[0-9]:vpnclient-4.6.exe

The USB flash port number range is 0-9. For example, for a USB flash attached to USB port 0, the URL is usbflash0:vpnclient-4.6.exe.

• disk[0-1]:vpnclient-4.6.exe

The disk number is 0 or 1. For example, for disk number 0, the URL is disk0:vpnclient-4.6.exe.

•archive:vpnclient-4.6.exe

•tar:vpnclient-4.6.exe

•system:vpnclient-4.6.exe

In these examples, username is the site username and password is the site password.

Revisions

Enter the revision number of the latest update. You can enter multiple revision numbers by separating them with commas, for example, 4.3,4.4,4.5. Do not use any spaces.

Summary

This window shows you the Easy VPN Server configuration that you have created, and it allows you to save the configuration. You can review the configuration in this window and click the Back button to change any items.

Clicking the Finish button writes the information to the router running configuration. If the tunnel has been configured to operate in Auto mode, the router also attempts to contact the VPN concentrator or server.

If you want to change the Easy VPN Server configuration at a later time, you can make the changes in the Add or Edit Easy VPN Server panel.

To save this configuration to the router running configuration and leave this wizard, click Finish. Changes will take effect immediately.

Test VPN Connectivity After Configuring

Click to test the VPN connection you have just configured. The results of the test appear in a separate window.

Browser Proxy Settings

This window lists browser proxy settings, showing how they are configured. You can add, edit, or delete browser proxy settings. Use the group policies configuration to associate browser proxy settings with client groups.

Name

The name of the browser proxy settings.

Settings

Displays one of the following:

•No Proxy Server

No proxy server can be used by clients when they connect through the VPN tunnel.

•Automatically Detect Settings

Clients attempt to automatically detect a proxy server.

•Manual Proxy Configuration

Settings are manually configured.

Server Details

Displays the proxy server IP address and port number used.

Bypass Local Addresses

If set, prevents clients from using the proxy server for local (LAN) addresses.

Exceptions List

A list of IP addresses for which you do not want clients to use the proxy server.

Add Button

Configure new browser proxy settings.

Edit Button

Edit the specified browser proxy settings.

Delete Button

Delete the specified browser proxy settings. Browser proxy settings associated with one or more group policies can not be deleted before those associations are removed.

Add or Edit Easy VPN Server

This window lets you view and manage Easy VPN server connections.

Add

Click Add to add a new Easy VPN Server.

Edit

Click Edit to edit an existing Easy VPN Server configuration.

Delete

Click Delete to delete a specified configuration.

Name Column

The name of the IPSec policy associated with this connection.

Interface Column

The name of the interface used for this connection.

Group Authorization Column

The name of the method list used for group policy lookup.

User Authentication Column

The name of the method list used for user authentication lookup.

Mode Configuration

Displays one of the following:

•Initiate

The router is configured to initiate connections with Easy VPN Remote clients.

•Respond

The router is configured to wait for requests from Easy VPN Remote clients before establishing connections.

Test VPN Server Button

Click to test the chosen VPN tunnel. The results of the test appear in a separate window.

Restrict Access Button

Click this button to restrict group access to the specified Easy VPN Server connection.

This button is enabled only if both of the following conditions are met:

•There is more than one Easy VPN Server connection using the local database for user authentication.

•There is at least one local group policy configured.

Add or Edit Easy VPN Server Connection

This window lets you add or edit an Easy VPN Server connection.

Choose an Interface

If you are adding a connection, choose the interface to use from this list. If you are editing the connection, this list is disabled.

Choose an IPSec Policy

If you are adding a connection, choose the IPSec policy to use from this list. If you are editing the connection, this list is disabled.

Method List for Group Policy Lookup

Choose the method list to use for group policy lookup from this list. Method lists are configured by clicking Additional Tasks on the SDM taskbar, and then clicking the AAA node.

Enable User Authentication

Check this checkbox if you want to require users to authenticate themselves.

Method List for User Authentication

Choose the method list to use for user authentication from this list. Method lists are configured by clicking Additional tasks on the SDM taskbar, and then clicking the AAA node.

Mode Configuration

Check Initiate if you want the router to initiate connections with Easy VPN Remote clients.

Check Respond if you want the router to wait for requests from Easy VPN Remote clients before establishing connections.

Restrict Access

This window allows you to specify which group policies are allowed to use the Easy VPN connection.

Allow a group access to the Easy VPN Server connection by checking its check box. Deny a group access to the Easy VPN Server connection by unchecking its check box.

What Do You Want to Do?

If you want to:

Do this:

Restrict a group policy to a specific Easy VPN Server connection while denying all other group policies use of that connection.

Choose the specific Easy VPN Server connection and click the Restrict Access button. Check the target group's check box and uncheck those of all other groups. Deny the target group access in all other Easy VPN Server connections by unchecking its check box in the Restrict Access window belonging to each of those connections.

Group Policies Configuration

This window lets you view, add, clone, and choose group policies for editing or deletion. Group policies are used to identify resources for Easy VPN Remote clients.

Common Pool Button

Click to designate an existing pool as a common pool for all group policies to use. If no local pools have been configured, this button is disabled. Pools can be configured by clicking Additional Tasks > Local Pools, or when you configure Easy VPN Server connections.

Add, Edit, Clone, and Delete Buttons

Use these buttons to manage group policies on the router. Clicking Clone displays the Group Policy edit tabs.

Send Update Button

Click to send an IKE notification of software or firmware updates to active clients of the chosen group. If this button is disabled, the chosen group does not have client update configured.

To set up client update notifications for the chosen group, click the Edit button and then click the Client Update tab.

Group Name Column

The name of the group policy.

Pool Column

The IP address pool used by the clients in this group.

DNS Column

The DNS servers used by the clients in this group.

WINS Column

The WINS servers used by the clients in this group.

Domain Name Column

The domain name used by the clients in this group.

ACL Column

If split tunneling is specified for this group, this column may contain the name of an ACL that defines which traffic is to be encrypted.

Details Window

The Details window is a list of feature settings and their values for the chosen group policy. Feature settings are displayed only if they are supported by your Cisco router's IOS release, and apply only to the chosen group. The following feature settings may appear in the list:

•Authentication

Values indicate a preshared key if one was configured, or a digital certificate if a preshared key was not configured.

•Maximum Connections Allowed

Shows the maximum number of simultaneous connections allowed. SDM supports a maximum of 5000 simultaneous connections per group.

•Access Restrict

Shows the outside interface to which the specified group is restricted.

•Backup Servers

Shows the IP address of backup servers that have been configured.

•Firewall Are-U-There

Restricts connections to devices running Black Ice or Zone Alarm firewalls.

•Include Local LAN

Allows a connection not using split tunneling to access the local stub network at the same time as the client.

•PFS (perfect forward secrecy)

PFS is required for IPSec.

•Configuration Push, URL, and Version

The server sends a configuration file from the specified URL and with the specified version number to a client.

•Group Lock

Clients are restricted to the group.

•Save Password

XAuth credentials can be saved on the client.

•Maximum Logins

The maximum number of connections a user can establish simultaneously. SDM supports a maximum of 10 simultaneous logins per user.

•XAuth Banner

The text message shown to clients during XAuth requests.

Local Pools

This window lists the IP address pools configured for Easy VPN group policies on the router.

Add or Edit or Delete Buttons

Use these buttons to manage the local pools on the router.

Pool Name Column

The name of the IP address pool.

IP Address Range Column

The IP address range for the selected pool. A range of 2.2.2.0 to 2.2.2.254 provides 255 addresses.

Cache Size Column

The size of the cache for this pool.

Group Name Column

If a local pool is configured with the group option using the CLI, the name of the group is displayed in the group name column.

Note You cannot configure local pools with the group option using SDM.

Add or Edit IP Local Pool

This window lets you create or edit a local pool of IP addresses.

Pool Name

If you are creating a pool, enter the pool name. If you are editing a pool, this field is disabled.

IP Address Range

Enter or edit the IP address ranges for the pool in this area. A pool can contain more than one IP address range. Use the Add, Edit, and Delete buttons to create additional ranges, edit ranges, and delete IP address ranges.

Cache Size

Enter or edit the cache size for this pool in this field.

Add IP Address Range

This window lets you add an IP address range to an existing pool.

Start IP Address

Enter the lowest IP address in the range.

End IP Address

Enter the highest IP address in the range.

If you want to:	Do this:
Define an AAA method list for both RADIUS and the local database. When you define method lists for both a RADIUS and local database, the router first looks at the RADIUS server and then the local database for group authentication.	Choose RADIUS and Local Only. Then click Next.
Define an AAA method list for the local database only. When you define an AAA method list for the local database, the router looks at the local database for group authentication.	Choose Local only. Then click Next.
Choose any of the existing method lists for group authentication. When you want to define AAA method lists, you might consider choosing an already existing method list.	Choose Choose an existing AAA method list. Then click Next.

If you want to:	Do this:
Authenticate the clients associated with the group.	Enter the key in the Preshared Key field.
Create a local pool of IP addresses to be allocated to clients.	Enter the IP address range in the Create a new pool field under the Pool Information area.
Choose a range of IP address from the existing pool to be allocated to clients.	Choose the IP address range from the Select From An Existing Pool field under Pool Information area.

If you want to:	Do this:
Configure a DNS server.	Check the DNS option. Then enter the primary and secondary DNS server IP addresses in the fields provided.
Configure a WINS server.	Check the WINS option. Enter the primary and secondary WINS server IP addresses in the fields provided.
Specify a name to be pushed to the Easy VPN client.	Enter the domain name in the Domain Name field.

If you want to:	Do this:
Enable split tunneling.	Check the Enable Split Tunneling option.
Add a protected subnet.	Choose Enter the Protected Subnets, and then click Add.
Delete a protected subnet.	Choose Enter the Protected Subnets, and then click Delete.
Choose the ACL to be used for split tunneling.	Choose Choose the Split Tunneling ACL, and choose the ACL from the available options.
Use your network's DNS server to resolve certain domain names.	Check the Enable Split Tunneling option and enter the domain names in the field provided. You must also set up subnets or choose an ACL.

If you want to:	Do this:
Add a backup server.	Click Add in the Backup Servers area. Then add the backup server IP address or host name in the window displayed.
Delete a backup server.	Choose the backup server to be deleted from the Backup Server area and click Delete.
Reorder backup servers.	Delete backup servers and recreate them in the order you want.
Enable Firewall Are-U-There.	Check the Firewall Are-U-There option.
Enable Include Local LAN.	Check the Include-Local-LAN option.
Specify the maximum number of client connections allowed for the group that you are creating.	Enter the number in the Maximum Connections Allowed in This Group field.

If you want to:	Do this:
Restrict user connection from the specific user group.	Check the Enable group-lock option.
Save user name and password.	Check the Enable save password option.
Specify maximum number of simultaneous connection a user can make to the Easy VPN Server.	Enter the number in the Maximum Logins Allowed Per User field.