Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3787
Views
5
Helpful
3
Replies

ASA and Group URL

Go to solution
cdickerson
Level 1
Level 1

‎08-22-2010 06:18 AM

So I have the need to provide two different SSL VPN environments for two different customers on the same ASA 5510 appliance.  Can I create two Group policies, each with a unique group url specified and then assign a ssl cert matching the group url?  From an IP perspective, they would both be hitting the same outside IP address.

Ex:

Group_policy: customerA

     Group URL: https://remote.customera.com

     ssl cert: remote.customera.com

Group_policy: customerB

     Group URL: https://remote.customerb.com

     ssl cert: remote.customerb.com

thanks!

-Craig

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Atri Basu
Cisco Employee
Cisco Employee

‎08-22-2010 07:36 AM

Hey Craig,

Regarding your request let me break it up into 2 parts:

1. Can you use 2 seperate urls on the same ASA for two separate connection profiles

2. Can you use 2 seperate certificates to validate the two urls

Regarding your first query, yes this can be done. You will have to create 2 separate group-policies and  2 conenction profiles aka Tunnel groups. Under each tunnel group define a separate group-url and assign the corresponding group-policy. Your configuration might look something like this:

ASA(config)# group-policy customerA internal 
ASA(config)# group-policy customerA attributes 

.

.

.

(configure the respective attribute)

ASA(config)# Tunnel-group customerA type remote-access
ASA(config)# Tunnel-group customerA general-attributes
ASA(config-tunnel-general)# default-group-policy customerA

ASA(config)# tunnel-group customerA webvpn-attributes

ASA(config-tunnel-webvpn)# group-url https://ASA1/remote.customera.com

Repeat the above steps and replace "customerA" with "customerB"

Regarding your second question, you can only configure one trustpoint to be used with one interface. So you need to do either one of the following:

1. get a UCC( Unified Client Certificate) for your ASA:

Obtain One UCC with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP. So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on. Several PKI/Certificate vendors support UCC:godaddy.com, entrust.com, verisign,etc.

Note: the ASA cannot generate a Certificate Signing Request (CSR) with multiple SANS (CSCso70867 is the enhancement asking for this capability ), so you have to have the PKI vendor submit the enrollment for you.

On ASA configure one trustpoint '' and Install/Import the UCC certifcate in this trustpoint. Bind this trustpoint to the outside interface.

2. OR get a wildcard certificate. Wilcard certificates are discouraged in favor of UUC certs. According to one vendor, Entrust,  these are 2 main reasons:

  1. UCC is more secure than wildcard certificates since Entrust UC Certificates specify exactly which hosts and domains are to be protected
  2. UCC is more flexible than wildcard certificates since Entrust UC Certificates aren't limited to a single domain

Hope this helps.


Regards,

Atri

View solution in original post

3 Replies 3

Go to solution
Atri Basu
Cisco Employee
Cisco Employee

‎08-22-2010 07:36 AM

Hey Craig,

Regarding your request let me break it up into 2 parts:

1. Can you use 2 seperate urls on the same ASA for two separate connection profiles

2. Can you use 2 seperate certificates to validate the two urls

Regarding your first query, yes this can be done. You will have to create 2 separate group-policies and  2 conenction profiles aka Tunnel groups. Under each tunnel group define a separate group-url and assign the corresponding group-policy. Your configuration might look something like this:

ASA(config)# group-policy customerA internal 
ASA(config)# group-policy customerA attributes 

.

.

.

(configure the respective attribute)

ASA(config)# Tunnel-group customerA type remote-access
ASA(config)# Tunnel-group customerA general-attributes
ASA(config-tunnel-general)# default-group-policy customerA

ASA(config)# tunnel-group customerA webvpn-attributes

ASA(config-tunnel-webvpn)# group-url https://ASA1/remote.customera.com

Repeat the above steps and replace "customerA" with "customerB"

Regarding your second question, you can only configure one trustpoint to be used with one interface. So you need to do either one of the following:

1. get a UCC( Unified Client Certificate) for your ASA:

Obtain One UCC with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP. So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on. Several PKI/Certificate vendors support UCC:godaddy.com, entrust.com, verisign,etc.

Note: the ASA cannot generate a Certificate Signing Request (CSR) with multiple SANS (CSCso70867 is the enhancement asking for this capability ), so you have to have the PKI vendor submit the enrollment for you.

On ASA configure one trustpoint '' and Install/Import the UCC certifcate in this trustpoint. Bind this trustpoint to the outside interface.

2. OR get a wildcard certificate. Wilcard certificates are discouraged in favor of UUC certs. According to one vendor, Entrust,  these are 2 main reasons:

  1. UCC is more secure than wildcard certificates since Entrust UC Certificates specify exactly which hosts and domains are to be protected
  2. UCC is more flexible than wildcard certificates since Entrust UC Certificates aren't limited to a single domain

Hope this helps.


Regards,

Atri

Go to solution
cdickerson
Level 1
Level 1
In response to Atri Basu

‎08-22-2010 12:54 PM

Thanks for the great detailed answer. I understand everything but get confused on the group-url command.  In your example you had group-url https://ASA1/remote.customera.com, I don't understand the ASA1 portion of the url.  Same goes for the SAN portion of the UCC cert.  Wouldn't the SAN's be remote.customera.com and remote.customerb.com?  I only have one ASA.  So the ASA1 and ASA2 stuff I am not understanding.

Thanks again

-Craig

0 Helpful

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to cdickerson

‎08-24-2010 11:41 AM

Hey Craig,

When I normally create different urls I normally create a portion of it that is the same, e.g

for tunnel group 1 i would create group-url https://asa/tg1

and for tunnel group 2 I would create group-url https://asa/tg2.

This way if you want to use the wildcard certifcate then https://asa/* would be what you would use as the CN. However this is not at all necessary. You can use a UCC with multiple SANs.

In your case you are right you can use "https://remote.customera.com" and https://remote.customerb.com.

Sorry for the confusion.


Regards,

Atri.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents