VPN
Configuring IPsec Remote Access
Cisco ISA500 Series Integrated Security Appliances Administration Guide 359
8
• Client Internet Access: Check this box to automatically create advanced
NAT rules to allow remote VPN clients to access the Internet over the VPN
tunnels. If you uncheck this box, you can manually create advanced NAT
rules. See Allowing IPsec Remote VPN Clients to Access the Internet,
page 360.
• WAN Failover: Click On to enable WAN Failover, or click Off to disable it. If
you enable WAN Failover, traffic is automatically redirected to the secondary
link when the primary link is down.
NOTE: To enable WAN Failover for IPsec Remote Access, make sure that the
secondary WAN port was configured and the WAN redundancy was set as
the Load Balancing or Failover mode.
NOTE: The security appliance will automatically update the local WAN
gateway for the VPN tunnel based on the configurations of the backup WAN
link. For this purpose, Dynamic DNS has to be configured because the IP
address will change due to failover and remote VPN clients must use the
domain name of the IPsec VPN server to establish the VPN connections.
STEP 4 In the Zone Access Control tab, you can control access from the PC running the
Cisco VPN Client software or the private network of the Cisco VPN hardware
client to the zones over the VPN tunnels. Click Permit to permit access, or click
Deny to deny access.
NOTE: The VPN firewall rules that are automatically generated by the zone access
control settings will be added to the list of firewall rules with the priority higher
than the default firewall rules, but lower than the custom firewall rules.
STEP 5 In the Mode Configuration Settings tab, enter the following information:
• Primary DNS Server: Enter the IP address of the primary DNS server.
• Secondary DNS Server: Enter the IP address of the secondary DNS server.
• Primary WINS Server: Enter the IP address of the primary WINS server.
• Secondary WINS Server: Enter the IP address of the secondary WINS
server.
• Default Domain: Enter the default domain name that should be pushed to
remote VPN clients.
• Backup Server 1/2/3: Enter the IP address or hostname for the backup
server. You can specify up to three IPsec VPN servers as backup. When the
connection to the primary server fails, the VPN clients can attempt to
connect to the backup servers. The backup server 1 has the highest priority
and the backup server 3 has the lowest priority.