Filter
Top Products
30-32
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with IPSec VPN Policies
Map Rule Dialog Box (Lower Table)
Use the Map Rule dialog box, when opened for the rules table in the lower part of the Certificate to
Connection Profile Maps > Rules policy, to configure rules for the map selected in the maps table (upper
table of the Rules policy). For a detailed explanation of configuring these rules, see Configuring
Certificate to Connection Profile Map Rules (ASA), page 30-29.
Navigation Path
(Device View only) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Rules from the Policy selector. Click the Add Row button beneath the
lower table, or select a rule in the lower table and click Edit Row.
Field Reference
Priority The priority number of the matching rule, between 1 and 65535. A
lower number has a higher priority. For example, a matching rule with
a priority number of 2, has a higher priority than a matching rule with
a priority number of 5.
If you create multiple maps, they are processed in priority order, and the
first matching rule determines to which profile the user is mapped.
Map Name The name of the connection profile map.
Table 30-13 Map Rule Dialog Box (Upper Table) (Continued)
Element Description
Table 30-14 Map Rule Dialog Box (Lower Table)
Element Description
Field Select the field for the matching rule according to the Subject or the
Issuer of the client certificate.
Component Select the component of the client certificate to use for the matching
rule.
Operator Select the operator for the matching rule as follows:
• Equals—The certificate component must match the entered value.
If they do not match exactly, the connection is denied.
• Contains—The certificate component must contain the entered
value. If the component does not contain the value, the connection
is denied.
• Does Not Equal—The certificate component cannot equal the
entered value. For example, for a selected certificate component of
Country, and an entered value of US, if the client county value
equals US, then the connection is denied.
• Does Not Contain—The certificate component cannot contain the
entered value. For example, for a selected certificate component of
Country, and an entered value of US, if the client county value
contains US, the connection is denied.
Value The value of the matching rule. The value entered is associated with the
selected component and operator.