Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Query regarding VPN pools in ASA

Unanswered Question
Aug 9th, 2010
User Badges:

Hi halijenn / experts

I have a query regarding ASA Remote access VPN and want to know as to why ASA is facilitated to configure the IP pools one under tunnel-groups and one under group-policy.Is there any circumstance when one will override the other or is it just an option that VPN pool can be declared under any of them ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ankurs2008 Tue, 08/10/2010 - 16:23
User Badges:


I am not sure if the reason mentioned by you answers my question ; however i am looking for an example as to where it is configured and also an

explanation as to why cisco has introduced this . Can someone please guide me on this

b.julin Tue, 08/10/2010 - 17:45
User Badges:
  • Bronze, 100 points or more

The group policy can be selected by certificate attributes or by an authentication server.  The group policy can lock users into a specific tunnel group.  You can have more than one group policy lock users into the same tunnel group.

You use multiple group policies to change attributes based on the certificate/AAA.  If some value, like the pool, does not change for every group policy, you put it in the tunnel group as a default.  If you could not do this, you would have to separately enter the pool into each and every group policy.

Here's a simple example:


Note this is why you can have three different states for some booleans, e.g.

"re-xauth enable"

"re-xauth disable"

"no re-xauth enable/no re-xauth disable"

These are three different values.  The first two override the default, the third allows the default to set the value.


This Discussion