Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Mapping Certificates to IPsec or SSL VPN Connection Profiles

69-78

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Mapping Certificates to IPsec or SSL VPN Connection Profiles

–

Client Address Pools—Specifies up to 6 predefined address pools. To define an address pool,

go to Configuration > Remote Access VPN > Network Client Access > Address Assignment >

Address Pools.

–

Select—Opens the Select Address Pools dialog box.

•Default Group Policy—Specifies attributes relevant to the default group policy.

–

Group Policy—Selects the default group policy to use for this connection. The default is

DfltGrpPolicy.

–

Manage—Opens the Configure Group Policies dialog box, from which you can add, edit, or

delete group policies.

–

Client Protocols—Selects the protocol or protocols to use for this connection. By default, both

IPsec and L2TP over IPsec are selected.

Modes

The following table shows the modes in which this feature is available:

Mapping Certificates to IPsec or SSL VPN Connection Profiles

When the ASA receives an IPsec connection request with client certificate authentication, it assigns a

connection profile to the connection according to policies you configure. That policy can be to use rules

you configure, use the certificate OU field, use the IKE identity (i.e. hostname, IP address, key ID), the

peer IP address, or a default connection profile. For SSL connections, the ASA only uses the rules you

configure.

For IPsec or SSL connections using rules, the ASA evaluates the attributes of the certificate against the

rules until it finds a match. When it finds a match, it assigns the connection profile associated with the

matched rule to the connection. If it fails to find a match, it assigns the default connection profile

(DefaultRAGroup for IPsec and DefaultWEBVPNGroup for SSL VPN) to the connection and lets the

user choose the connection profile from a drop-down menu displayed on the portal page (if it is enabled).

The outcome of the connection attempt once in this connection profile depends on whether or not the

certificate is valid and the authentication settings of the connection profile.

A certificate group matching policy defines the method to use for identifying the permission groups of

certificate users. You can use any or all of these methods.

First configure the policy for matching a certificate to a connection profile at Configuration > Remote

Access VPN > Network (Client) Access > Advanced > IPsec > Certificate to Connection Profile Maps.

If you choose to use rules you configure, go to Rules to specify the rules. The following procedures

shows how you create the certificate-based criteria for each IPsec and SSL VPN connection profile:

Step1 Use the table at the top (Certificate to Connection Profile Maps) to do one of the following:

•Create a list name, called a “map,” specify the priority of the list, and assign the list to a connection

profile.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Mapping Certificates to IPsec or SSL VPN Connection Profiles

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505