Search this Blog

Tuesday, August 24, 2010

How can we create two group url's with a unique group url and a ssl cert grou url?

We need to provide two different SSL VPN environments for two different customers on the same ASA 5510 appliance. Can we create two Group policies, each with a unique group url specified and then assign a ssl cert matching the group url? From an IP perspective, they would both be hitting the same outside IP address.


Group_policy: customerA

Group URL:

ssl cert:

Group_policy: customerB

Group URL:

ssl cert:

1. Can you use 2 seperate urls on the same ASA for two separate connection profiles

2. Can you use 2 seperate certificates to validate the two urls

Regarding your first query, yes this can be done. You will have to create 2 separate group-policies and 2 conenction profiles aka Tunnel groups. Under each tunnel group define a separate group-url and assign the corresponding group-policy. Your configuration might look something like this:

ASA(config)# group-policy customerA internal
ASA(config)# group-policy customerA attributes

(configure the respective attribute)

ASA(config)# Tunnel-group customerA type remote-access
ASA(config)# Tunnel-group customerA general-attributes
ASA(config-tunnel-general)# default-group-policy customerA

ASA(config)# tunnel-group customerA webvpn-attributes

ASA(config-tunnel-webvpn)# group-url https://ASA1/

Repeat the above steps and replace "customerA" with "customerB"

Regarding your second question, you can only configure one trustpoint to be used with one interface. So you need to do either one of the following:

1. get a UCC( Unified Client Certificate) for your ASA:

Obtain One UCC with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP. So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on. Several PKI/Certificate vendors support,, verisign,etc.

Note: the ASA cannot generate a Certificate Signing Request (CSR) with multiple SANS (CSCso70867 is the enhancement asking for this capability ), so you have to have the PKI vendor submit the enrollment for you.

On ASA configure one trustpoint '' and Install/Import the UCC certifcate in this trustpoint. Bind this trustpoint to the outside interface.

2. OR get a wildcard certificate. Wilcard certificates are discouraged in favor of UUC certs. According to one vendor, Entrust, these are 2 main reasons:

  1. UCC is more secure than wildcard certificates since Entrust UC Certificates specify exactly which hosts and domains are to be protected
  2. UCC is more flexible than wildcard certificates since Entrust UC Certificates aren't limited to a single domain

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */