Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA RAVPN: Single Certificate Auth -> 2 IP address pools segmentation

I am working on a particular problem of assign multiple groups of VPN users to 2 separate IP address pools. The issue is easily solvable using group authentication, since you can bind an IP address pool to a group in Cisco ASA configuration:

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool

hostname(config)# tunnel-group testgroup ipsec-attributes

When I configure a VPN client to use a digital certificate, this option of selecting a “group” goes away. Is it possible to segment groups of VPN users to different IP pools, when they are auth-ing with certificates? Some ideas I have:

-        Use to different trustpoints: messy because each client has to be issues new certificates or

-        Somehow bind group1 to a different external ASA ip address: don’t know if I can configure multiple IP address to support different VPN’s on one ASA?

-        Explore “mutual group authentication”: the definition is confusing in itself however and I cannot even decide what it does and if it will work for this.

-        Any other ideas?

Thanks in advance for any ideas.

New Member

Re: ASA RAVPN: Single Certificate Auth -> 2 IP address pools seg

You can use tunnel-group-map ou to achieve this.

sh run all tunnel-group-map

no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup

Look at this document: