Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA and Group URL

So I have the need to provide two different SSL VPN environments for two different customers on the same ASA 5510 appliance.  Can I create two Group policies, each with a unique group url specified and then assign a ssl cert matching the group url?  From an IP perspective, they would both be hitting the same outside IP address.

Ex:

Group_policy: customerA

     Group URL: https://remote.customera.com

     ssl cert: remote.customera.com

Group_policy: customerB

     Group URL: https://remote.customerb.com

     ssl cert: remote.customerb.com

thanks!

-Craig

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA and Group URL

Hey Craig,

Regarding your request let me break it up into 2 parts:

1. Can you use 2 seperate urls on the same ASA for two separate connection profiles

2. Can you use 2 seperate certificates to validate the two urls

Regarding your first query, yes this can be done. You will have to create 2 separate group-policies and  2 conenction profiles aka Tunnel groups. Under each tunnel group define a separate group-url and assign the corresponding group-policy. Your configuration might look something like this:

ASA(config)# group-policy customerA internal 
ASA(config)# group-policy customerA attributes 

.

.

.

(configure the respective attribute)

ASA(config)# Tunnel-group customerA type remote-access
ASA(config)# Tunnel-group customerA general-attributes
ASA(config-tunnel-general)# default-group-policy customerA

ASA(config)# tunnel-group customerA webvpn-attributes

ASA(config-tunnel-webvpn)# group-url https://ASA1/remote.customera.com

Repeat the above steps and replace "customerA" with "customerB"

Regarding your second question, you can only configure one trustpoint to be used with one interface. So you need to do either one of the following:

1. get a UCC( Unified Client Certificate) for your ASA:

Obtain One UCC with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP. So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on. Several PKI/Certificate vendors support UCC:godaddy.com, entrust.com, verisign,etc.

Note: the ASA cannot generate a Certificate Signing Request (CSR) with multiple SANS (CSCso70867 is the enhancement asking for this capability ), so you have to have the PKI vendor submit the enrollment for you.

On ASA configure one trustpoint '' and Install/Import the UCC certifcate in this trustpoint. Bind this trustpoint to the outside interface.

2. OR get a wildcard certificate. Wilcard certificates are discouraged in favor of UUC certs. According to one vendor, Entrust,  these are 2 main reasons:

  1. UCC is more secure than wildcard certificates since Entrust UC Certificates specify exactly which hosts and domains are to be protected
  2. UCC is more flexible than wildcard certificates since Entrust UC Certificates aren't limited to a single domain

Hope this helps.


Regards,

Atri

3 REPLIES
Cisco Employee

Re: ASA and Group URL

Hey Craig,

Regarding your request let me break it up into 2 parts:

1. Can you use 2 seperate urls on the same ASA for two separate connection profiles

2. Can you use 2 seperate certificates to validate the two urls

Regarding your first query, yes this can be done. You will have to create 2 separate group-policies and  2 conenction profiles aka Tunnel groups. Under each tunnel group define a separate group-url and assign the corresponding group-policy. Your configuration might look something like this:

ASA(config)# group-policy customerA internal 
ASA(config)# group-policy customerA attributes 

.

.

.

(configure the respective attribute)

ASA(config)# Tunnel-group customerA type remote-access
ASA(config)# Tunnel-group customerA general-attributes
ASA(config-tunnel-general)# default-group-policy customerA

ASA(config)# tunnel-group customerA webvpn-attributes

ASA(config-tunnel-webvpn)# group-url https://ASA1/remote.customera.com

Repeat the above steps and replace "customerA" with "customerB"

Regarding your second question, you can only configure one trustpoint to be used with one interface. So you need to do either one of the following:

1. get a UCC( Unified Client Certificate) for your ASA:

Obtain One UCC with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP. So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on. Several PKI/Certificate vendors support UCC:godaddy.com, entrust.com, verisign,etc.

Note: the ASA cannot generate a Certificate Signing Request (CSR) with multiple SANS (CSCso70867 is the enhancement asking for this capability ), so you have to have the PKI vendor submit the enrollment for you.

On ASA configure one trustpoint '' and Install/Import the UCC certifcate in this trustpoint. Bind this trustpoint to the outside interface.

2. OR get a wildcard certificate. Wilcard certificates are discouraged in favor of UUC certs. According to one vendor, Entrust,  these are 2 main reasons:

  1. UCC is more secure than wildcard certificates since Entrust UC Certificates specify exactly which hosts and domains are to be protected
  2. UCC is more flexible than wildcard certificates since Entrust UC Certificates aren't limited to a single domain

Hope this helps.


Regards,

Atri

New Member

Re: ASA and Group URL

Thanks for the great detailed answer. I understand everything but get confused on the group-url command.  In your example you had group-url https://ASA1/remote.customera.com, I don't understand the ASA1 portion of the url.  Same goes for the SAN portion of the UCC cert.  Wouldn't the SAN's be remote.customera.com and remote.customerb.com?  I only have one ASA.  So the ASA1 and ASA2 stuff I am not understanding.

Thanks again

-Craig

Cisco Employee

Re: ASA and Group URL

Hey Craig,

When I normally create different urls I normally create a portion of it that is the same, e.g

for tunnel group 1 i would create group-url https://asa/tg1

and for tunnel group 2 I would create group-url https://asa/tg2.

This way if you want to use the wildcard certifcate then https://asa/* would be what you would use as the CN. However this is not at all necessary. You can use a UCC with multiple SANs.

In your case you are right you can use "https://remote.customera.com" and https://remote.customerb.com.

Sorry for the confusion.


Regards,

Atri.

910
Views
5
Helpful
3
Replies
CreatePlease to create content