cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
1
Replies

ASA RAVPN: Single Certificate Auth -> 2 IP address pools segmentation

will
Level 3
Level 3

I am working on a particular problem of assign multiple groups of VPN users to 2 separate IP address pools. The issue is easily solvable using group authentication, since you can bind an IP address pool to a group in Cisco ASA configuration:

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool

hostname(config)# tunnel-group testgroup ipsec-attributes

When I configure a VPN client to use a digital certificate, this option of selecting a “group” goes away. Is it possible to segment groups of VPN users to different IP pools, when they are auth-ing with certificates? Some ideas I have:

-        Use to different trustpoints: messy because each client has to be issues new certificates or

-        Somehow bind group1 to a different external ASA ip address: don’t know if I can configure multiple IP address to support different VPN’s on one ASA?

-        Explore “mutual group authentication”: the definition is confusing in itself however and I cannot even decide what it does and if it will work for this.

-        Any other ideas?

Thanks in advance for any ideas.

1 Reply 1

gurdsing
Level 1
Level 1

You can use tunnel-group-map ou to achieve this.

sh run all tunnel-group-map


no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup

Look at this document:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987

Regards,

Guru.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: