So I have the need to provide two different SSL VPN environments for two different customers on the same ASA 5510 appliance. Can I create two Group policies, each with a unique group url specified and then assign a ssl cert matching the group url? From an IP perspective, they would both be hitting the same outside IP address.
Group URL: https://remote.customera.com
ssl cert: remote.customera.com
Group URL: https://remote.customerb.com
ssl cert: remote.customerb.com
Regarding your request let me break it up into 2 parts:
1. Can you use 2 seperate urls on the same ASA for two separate connection profiles
2. Can you use 2 seperate certificates to validate the two urls
Regarding your first query, yes this can be done. You will have to create 2 separate group-policies and 2 conenction profiles aka Tunnel groups. Under each tunnel group define a separate group-url and assign the corresponding group-policy. Your configuration might look something like this:
ASA(config)# group-policy customerA internal
ASA(config)# group-policy customerA attributes
(configure the respective attribute)
ASA(config)# Tunnel-group customerA type remote-access
ASA(config)# Tunnel-group customerA general-attributes
ASA(config-tunnel-general)# default-group-policy customerA
ASA(config)# tunnel-group customerA webvpn-attributes
ASA(config-tunnel-webvpn)# group-url https://ASA1/remote.customera.com
Repeat the above steps and replace "customerA" with "customerB"
Regarding your second question, you can only configure one trustpoint to be used with one interface. So you need to do either one of the following:
1. get a UCC( Unified Client Certificate) for your ASA:
Obtain One UCC with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP. So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on. Several PKI/Certificate vendors support UCC:godaddy.com, entrust.com, verisign,etc.
Note: the ASA cannot generate a Certificate Signing Request (CSR) with multiple SANS (CSCso70867 is the enhancement asking for this capability ), so you have to have the PKI vendor submit the enrollment for you.
On ASA configure one trustpoint '' and Install/Import the UCC certifcate in this trustpoint. Bind this trustpoint to the outside interface.
2. OR get a wildcard certificate. Wilcard certificates are discouraged in favor of UUC certs. According to one vendor, Entrust, these are 2 main reasons:
- UCC is more secure than wildcard certificates since Entrust UC Certificates specify exactly which hosts and domains are to be protected
- UCC is more flexible than wildcard certificates since Entrust UC Certificates aren't limited to a single domain
Hope this helps.