cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
421
Views
0
Helpful
1
Replies
will
Beginner

ASA RAVPN: Single Certificate Auth -> 2 IP address pools segmentation

I am working on a particular problem of assign multiple groups of VPN users to 2 separate IP address pools. The issue is easily solvable using group authentication, since you can bind an IP address pool to a group in Cisco ASA configuration:

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool

hostname(config)# tunnel-group testgroup ipsec-attributes

When I configure a VPN client to use a digital certificate, this option of selecting a “group” goes away. Is it possible to segment groups of VPN users to different IP pools, when they are auth-ing with certificates? Some ideas I have:

-        Use to different trustpoints: messy because each client has to be issues new certificates or

-        Somehow bind group1 to a different external ASA ip address: don’t know if I can configure multiple IP address to support different VPN’s on one ASA?

-        Explore “mutual group authentication”: the definition is confusing in itself however and I cannot even decide what it does and if it will work for this.

-        Any other ideas?

Thanks in advance for any ideas.

1 REPLY 1
gurdsing
Beginner

You can use tunnel-group-map ou to achieve this.

sh run all tunnel-group-map


no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup

Look at this document:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987

Regards,

Guru.

Create
Recognize Your Peers
Content for Community-Ad