30-29
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with IPSec VPN Policies
This section contains the following topics:
Configuring Certificate to Connection Profile Map Policies (ASA), page30-29
Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices),
page 30-33
Configuring Certificate to Connection Profile Map Policies (ASA)
Certificate to connection profile map policies are used for enhanced certificate authentication on ASA
devices in remote access IKEv1 IPSec VPNs. They are not used in remote access IKEv2 IPSec or SSL
VPNs.
Certificate to connection profile map policies let you define rules to match a user’s certificate to a
permission group based on specified fields. To establish authentication, you can use any field of the
certificate, or you can have all certificate users share a permission group. You can match the group from
the DN rules, the Organization Unit (OU) field, the IKE identity, or the peer IP address. You can use any
or all of these methods.
To match user permission groups based on DN fields of the certificate, you define rules that specify the
fields to match for a group and then enable each rule for that selected group. A connection profile must
already exist in the configuration before you can create a rule for it.
This procedure describes how to configure a Certificate to Connection Profile Map policy for a remote
client trying to connect to an ASA server device.
Step 1 Do one of the following:
(Device View) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Policies from the Policy selector.
(Policy View) Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps
> Policies from the Policy Type selector. Select an existing policy or create a new one.
The Certificate to Connection Profile Map Policies page opens.
Step 2 Select any, or all, of the following options to establish authentication and to determine to which
connection profile (tunnel group) to map the client:
Use Configured Rules to Match a Certificate to a Group—To use the rules defined in the
Certificate to Connection Profile Maps > Rules policy. For information on configuring the rules, see
Configuring Certificate to Connection Profile Map Rules (ASA), page30-29.
Use Certificate Organization Unit (OU) Field to Determine the Group—To use the
organizational unit (OU) field of the client certificate.
Use IKE Identify to Determine the Group—To use the IKE identity.
Use Peer IP address to Determine the Group—To use the peer’s IP address.

Configuring Certificate to Connection Profile Map Rules (ASA)

If you configure certificate to connection profile maps, and select the option to Use Configured Rules
to Match a Certificate to a Group (as explained in Configuring Certificate to Connection Profile Map
Policies (ASA), page 30-29), you need to configure the rules required to match a user to a connection
profile based on the user certificate.