Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Query regarding VPN pools in ASA

Hi halijenn / experts

I have a query regarding ASA Remote access VPN and want to know as to why ASA is facilitated to configure the IP pools one under tunnel-groups and one under group-policy.Is there any circumstance when one will override the other or is it just an option that VPN pool can be declared under any of them ?

Cisco Employee

Re: Query regarding VPN pools in ASA

the pool in group-policy overrides the tunnel-group pool

now i am not sure why the option is given in 2 places, probabaly if someone has multiple tunnel groups and wants to give ip's to all from a set of pools

New Member

Re: Query regarding VPN pools in ASA


I am not sure if the reason mentioned by you answers my question ; however i am looking for an example as to where it is configured and also an

explanation as to why cisco has introduced this . Can someone please guide me on this

New Member

Re: Query regarding VPN pools in ASA

The group policy can be selected by certificate attributes or by an authentication server.  The group policy can lock users into a specific tunnel group.  You can have more than one group policy lock users into the same tunnel group.

You use multiple group policies to change attributes based on the certificate/AAA.  If some value, like the pool, does not change for every group policy, you put it in the tunnel group as a default.  If you could not do this, you would have to separately enter the pool into each and every group policy.

Here's a simple example:

Note this is why you can have three different states for some booleans, e.g.

"re-xauth enable"

"re-xauth disable"

"no re-xauth enable/no re-xauth disable"

These are three different values.  The first two override the default, the third allows the default to set the value.

CreatePlease to create content