Filter
Top Products
30-30
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with IPSec VPN Policies
To match user permission groups based on fields of the certificate, you define rules that specify the fields
to match for a group and then enable each rule for that selected group. You must first define a connection
profile (tunnel group) before you can create and map a rule to it.
This procedure describes how to configure the Certificate to Connection Profile Map rules and
parameters for any remote client trying to connect to an ASA server device.
Tip Certificate to connection profile map policies apply to remote access IKEv1 IPSec VPNs only. They do
not apply to IKEv2 or SSL VPNs.
Before You Begin
• Make sure the connection profiles for which you are creating mapping rules has been configured on
the device. See Configuring Connection Profiles (ASA, PIX 7.0+), page 30-6.
• Make sure that you select Use Configured Rules to Match a Certificate to a Group in the
Certificate to Connection Profile Maps Policies policy. See Configuring Certificate to Connection
Profile Map Policies (ASA), page 30-29.
Step 1 (Device view only) With an ASA device selected, select Remote Access VPN > IPSec VPN >
Certificate to Connection Profile Maps > Rules from the Policy selector.
The Certificate to Connection Profile Map Rules page is displayed. The policy has two tables:
• Maps table (upper table)—The upper table lists all connection profiles for which you are defining
certificate to connection map rules. Each row is a profile map, which includes the name of the
connection profile that is being mapped, the priority of the map (lower numbers have higher
priority), and the map name. You can configure more than one map for the same connection profile.
–
To configure rules for a map, select it and then use the rules table to create, edit, and delete the
rules.
–
To add a map, click the Add Row button and fill in the Map Rule Dialog Box (Upper Table),
page 30-31.
–
To edit map properties (not rules), select it and click the Edit Row button.
–
To delete an entire map, select it and click the Delete Row button.
• Rules table (lower table)—The rules for the map selected in the upper table. You must ensure that
the map is actually selected in the upper table: the group title above the rules table should say
“Details for (Connection Profile Name).”
When you select a map, the table shows all rules configured for the map, including the field (subject
or issuer), certificate component, matching operator, and the value that the rule is looking for. The
remote user must match all configured rules in a map for the device to use the mapped connection
profile.
–
To add a rule, click the Add Row button and fill in the Map Rule Dialog Box (Lower Table),
page 30-32.
–
To edit a rule, select it and click the Edit Row button.
–
To delete a rule, select it and click the Delete Row button.
Step 2 To add a rule to a map:
a. Select the map in the upper table.