ASA RAVPN: Single Certificate Auth -> 2 IP address pools segmentation

will · ‎07-19-2010

I am working on a particular problem of assign multiple groups of VPN users to 2 separate IP address pools. The issue is easily solvable using group authentication, since you can bind an IP address pool to a group in Cisco ASA configuration:

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool

hostname(config)# tunnel-group testgroup ipsec-attributes

When I configure a VPN client to use a digital certificate, this option of selecting a “group” goes away. Is it possible to segment groups of VPN users to different IP pools, when they are auth-ing with certificates? Some ideas I have:

- Use to different trustpoints: messy because each client has to be issues new certificates or

- Somehow bind group1 to a different external ASA ip address: don’t know if I can configure multiple IP address to support different VPN’s on one ASA?

- Explore “mutual group authentication”: the definition is confusing in itself however and I cannot even decide what it does and if it will work for this.

- Any other ideas?

Thanks in advance for any ideas.

gurdsing · ‎07-20-2010

You can use tunnel-group-map ou to achieve this.

sh run all tunnel-group-map

no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup

Look at this document:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987

Regards,

Guru.