you can also use radius, i believe in server 2008 its called Network policy server. You can have it answer back not only a yes or no, but the AD group
as well. Lets say you wanted policies for 3 groups
each of these would have a radius policy, and if someone was a member of marketing, NPS/IAS(if server 2003) would answer back with the group name, which would correspond with the group policy name in the 3005(they dont necessarily have to match, if you want marketing to be in a group on the 3005 called limited etc. I do remember this was a tad tricky to configure on the 3005, but I had it working a while ago just like this, and was able to use one ipsec group but different policies based on the radius response. I defined the policy groups(IP assignments, allowed subents etc) on the 3005.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...