Query regarding VPN pools in ASA

ankurs2008 · ‎08-09-2010

Hi halijenn / experts

I have a query regarding ASA Remote access VPN and want to know as to why ASA is facilitated to configure the IP pools one under tunnel-groups and one under group-policy.Is there any circumstance when one will override the other or is it just an option that VPN pool can be declared under any of them ?

Jitendriya Athavale · ‎08-10-2010

the pool in group-policy overrides the tunnel-group pool

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1182747

now i am not sure why the option is given in 2 places, probabaly if someone has multiple tunnel groups and wants to give ip's to all from a set of pools

ankurs2008 · ‎08-10-2010

Hi

I am not sure if the reason mentioned by you answers my question ; however i am looking for an example as to where it is configured and also an

explanation as to why cisco has introduced this . Can someone please guide me on this

b.julin · ‎08-10-2010

The group policy can be selected by certificate attributes or by an authentication server. The group policy can lock users into a specific tunnel group. You can have more than one group policy lock users into the same tunnel group.

You use multiple group policies to change attributes based on the certificate/AAA. If some value, like the pool, does not change for every group policy, you put it in the tunnel group as a default. If you could not do this, you would have to separately enter the pool into each and every group policy.

Here's a simple example:

https://supportforums.cisco.com/docs/DOC-1746

Note this is why you can have three different states for some booleans, e.g.

"re-xauth enable"

"re-xauth disable"

"no re-xauth enable/no re-xauth disable"

These are three different values. The first two override the default, the third allows the default to set the value.