ASA RAVPN: Single Certificate Auth -> 2 IP address pools segmentation
I am working on a particular problem of assign multiple groups of VPN users to 2 separate IP address pools. The issue is easily solvable using group authentication, since you can bind an IP address pool to a group in Cisco ASA configuration:
hostname(config)# tunnel-group testgroup type ipsec-ra
When I configure a VPN client to use a digital certificate, this option of selecting a “group” goes away. Is it possible to segment groups of VPN users to different IP pools, when they are auth-ing with certificates? Some ideas I have:
-Use to different trustpoints: messy because each client has to be issues new certificates or
-Somehow bind group1 to a different external ASA ip address: don’t know if I can configure multiple IP address to support different VPN’s on one ASA?
-Explore “mutual group authentication”: the definition is confusing in itself however and I cannot even decide what it does and if it will work for this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...