30-31
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with IPSec VPN Policies
If the map does not already exist, create it by clicking the Add Row (+) button beneath the upper
table and fill in the Map Rule dialog box for creating maps. In the dialog box, you must select the
connection profile for the map, assign a relative priority between 1 and 65535 (lower numbers have
higher priority), and a unique map name.
b. Ensure that the map is actually selected. Highlighting the map in the table is not sufficient. The
heading above the lower table should be “Details for (Connection Profile Name),” and unless the
map is new, the table should show some rules.
c. To add a new certificate to connection profile matching rule that must be satisfied in order for a
remote client to connect to the device using the profile in this map, click the Add Row (+) button
beneath the lower table. This opens the Map Rule dialog box with different fields.
Note If you get the error message “Missing Settings, A value ID required for Mapping field,
Please select a Mapping,” it means that you have not successfully selected a map in the upper
table. Click on the desired map again.
d. From the Field list, select whether the rule should examine the Subject or Issuer field of the client
certificate.
e. From the Component list, select the component of the client certificate to use for the matching rule.
f. From the Operator field, select how the component should be compared to the Value field: Equals
(exact match is required), Contains (the entire value must appear), Does Not Equal, Does Not
Contain.
g. In the Val ue field, specify the value to match, then click OK to save the rule.
h. Add additional rules to the map as desired.
Step 3 In the Default Connection Profile field, select the connection profile that should be used for users who
do not meet any of the map rules.
Map Rule Dialog Box (Upper Table)
Use the Map Rule dialog box, when opened for the maps table in the upper part of the Certificate to
Connection Profile Maps > Rules policy, to configure maps for which you can then configure rules in
the lower table of the Rules policy. For a detailed explanation of configuring these maps and their
associated rules, see Configuring Certificate to Connection Profile Map Rules (ASA), page30-29.
Navigation Path
(Device View only) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Rules from the Policy selector. Click the Add Row button beneath the
upper table, or select a map in the upper table and click Edit Row.
Field Reference
Table30-13 Map Rule Dialog Box (Upper Table)
Element Description
Connection Profile Select the connection profile for which you are creating matching rules.
Clients attempting to connect to this connection profile must satisfy the
associated matching rule conditions to connect to the device.