Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Client Address Pools—Specifies up to 6 predefined address pools. To define an address pool,
go to Configuration > Remote Access VPN > Network Client Access > Address Assignment >
Address Pools.
Select—Opens the Select Address Pools dialog box.
• Default Group Policy—Specifies attributes relevant to the default group policy.
Group Policy—Selects the default group policy to use for this connection. The default is
Manage—Opens the Configure Group Policies dialog box, from which you can add, edit, or
delete group policies.
Client Protocols—Selects the protocol or protocols to use for this connection. By default, both
IPsec and L2TP over IPsec are selected.
The following table shows the modes in which this feature is available:
Mapping Certificates to IPsec or SSL VPN Connection Profiles
When the ASA receives an IPsec connection request with client certificate authentication, it assigns a
connection profile to the connection according to policies you configure. That policy can be to use rules
you configure, use the certificate OU field, use the IKE identity (i.e. hostname, IP address, key ID), the
peer IP address, or a default connection profile. For SSL connections, the ASA only uses the rules you
For IPsec or SSL connections using rules, the ASA evaluates the attributes of the certificate against the
rules until it finds a match. When it finds a match, it assigns the connection profile associated with the
matched rule to the connection. If it fails to find a match, it assigns the default connection profile
(DefaultRAGroup for IPsec and DefaultWEBVPNGroup for SSL VPN) to the connection and lets the
user choose the connection profile from a drop-down menu displayed on the portal page (if it is enabled).
The outcome of the connection attempt once in this connection profile depends on whether or not the
certificate is valid and the authentication settings of the connection profile.
A certificate group matching policy defines the method to use for identifying the permission groups of
certificate users. You can use any or all of these methods.
First configure the policy for matching a certificate to a connection profile at Configuration > Remote
Access VPN > Network (Client) Access > Advanced > IPsec > Certificate to Connection Profile Maps.
If you choose to use rules you configure, go to Rules to specify the rules. The following procedures
shows how you create the certificate-based criteria for each IPsec and SSL VPN connection profile:
Step 1 Use the table at the top (Certificate to Connection Profile Maps) to do one of the following:
• Create a list name, called a “map,” specify the priority of the list, and assign the list to a connection
Firewall Mode Security Context
Routed Transparent Single
Context System
• — • ——