Cisco ASA 5505 Configuration Manual page 1383

Chapter 64 General VPN Setup
First configure the policy for matching a certificate to a connection profile at Configuration > Remote
Access VPN > Network (Client) Access > Advanced > IPSec > Certificate to Connection Profile Maps.
If you choose to use rules you configure, go to Rules to specify the rules. The following procedures
shows how you create the certificate-based criteria for each IPsec and SSL VPN connection profile:
Use the table at the top (Certificate to Connection Profile Maps) to do one of the following:
Step 1
•
•
Step 2 Use the table at the bottom (Mapping Criteria) to view, add, change or delete entries to the selected list.
Each entry in the list consists of one certificate-based rule. All of the rules in the mapping criteria list
need to match the contents of the certificate for the adaptive security appliance to choose the associated
map index. To assign a connection if one criterion or another matches, create one list for each matching
criterion.
To understand the fields, see the following sections:
•
•
•
Setting a Certificate Matching Policy
For IPsec connections, a certificate group matching policy defines the method to use for identifying the
permission groups of certificate users. You can use any or all of these methods:
Fields
•
•
•
•
•
OL-20339-01
Create a list name, called a "map," specify the priority of the list, and assign the list to a connection
profile.
ASDM highlights the list after you add it to the table.
Confirm that a list is assigned to the connection profile for which you want to add certificate-based
rules.
ASDM highlights the list after you add it to the table and displays any associated list entries in the
table at the bottom of the pane.
Setting a Certificate Matching Policy
Add/Edit Certificate Matching Rule
Add/Edit Certificate Matching Rule Criterion
Use the configured rules to match a certificate to a group—Lets you use the rules you have defined
under Rules.
Use the certificate OU field to determine the group—Lets you use the organizational unit field to
determine the group to which to match the certificate. This is selected by default.
Use the IKE identity to determine the group—Lets you use the identity you previously defined under
Configuration > VPN > IKE > Global Parameters. The IKE identity can be hostname, IP address,
key ID, or automatic.
Use the peer IP address to determine the group—Lets you use the peer's IP address. This is selected
by default.
Default to group—Lets you select a default group for certificate users that is used when none of the
preceding methods resulted in a match. This is selected by default. Click the default group in the
Default to group list. The group must already exist in the configuration. If the group does not appear
in the list, you must define it by using Configuration > VPN > General > Tunnel Group.
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Cisco ASA 5500 Series Configuration Guide using ASDM
64-73