https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015360#M23071 <P>Hi,</P><P>&nbsp;</P><P>Thanks for quick reply.</P><P>&nbsp;</P><P>One more demand.</P><P>Let's say, on current webvpn I have tunnel-group 12345.</P><P>I will create new one (for inside) 54321.</P><P>&nbsp;</P><P>But, what I need, is:</P><P>1) from outside I will see (in client) only 12345</P><P>2) from inside I will see (in client) only 54321</P><P>&nbsp;</P><P>There will be no possibility to use tunnel-group 54321 from outside and vice versa.</P><P>I cannot find any solution, to limit tunnel-groups in that way.</P><P>&nbsp;</P><P>Kind regards,</P><P>&nbsp;</P><P>Pavel</P><P>&nbsp;</P> Tue, 21 Jan 2020 14:38:14 GMT Pavel Pokorny 2020-01-21T14:38:14Z https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015234#M23067 <P>Dear all,</P><P>&nbsp;</P><P>Please advice, what are possibilities.</P><P>&nbsp;</P><P>AsIs situation: ASA with webvpn configured on outside interface. This is pretty standard solution which is working for many years.</P><P>&nbsp;</P><P>ToBe situation: add possibility to connect via VPN client on inside interface. But here comes the trick. I would like to have (on this new headend) different tunnel-groups and with this also different ip-pool for clients.</P><P>&nbsp;</P><P>Is it even possible (9.8 version)?</P><P>&nbsp;</P><P>Kind regards,</P><P>&nbsp;</P><P>Pavel</P><P>&nbsp;</P> Tue, 21 Jan 2020 11:51:58 GMT https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015234#M23067 Pavel Pokorny 2020-01-21T11:51:58Z https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015306#M23069 Hi,<BR />Yes this should be possible. You would need to:-<BR /><BR />- Enabled SSL/IKEv2 IPSec on the INSIDE interface.<BR />- Create additional IP Pools<BR />- Create a new Group Policy, reference the new IP Pool within the Group Policy<BR />- Create a new tunnel group, reference the new group policy within the tunnel group.<BR /><BR />You should then connect to the new tunnel group and receive an IP address from the new IP Pool. You would probably also need a new NAT exemption rule to ensure traffic from the new IP Pool to the local internal network is not natted.<BR /><BR />If you need further assistance please upload your configuration.<BR />HTH Tue, 21 Jan 2020 13:37:05 GMT https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015306#M23069 Rob Ingram 2020-01-21T13:37:05Z https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015360#M23071 <P>Hi,</P><P>&nbsp;</P><P>Thanks for quick reply.</P><P>&nbsp;</P><P>One more demand.</P><P>Let's say, on current webvpn I have tunnel-group 12345.</P><P>I will create new one (for inside) 54321.</P><P>&nbsp;</P><P>But, what I need, is:</P><P>1) from outside I will see (in client) only 12345</P><P>2) from inside I will see (in client) only 54321</P><P>&nbsp;</P><P>There will be no possibility to use tunnel-group 54321 from outside and vice versa.</P><P>I cannot find any solution, to limit tunnel-groups in that way.</P><P>&nbsp;</P><P>Kind regards,</P><P>&nbsp;</P><P>Pavel</P><P>&nbsp;</P> Tue, 21 Jan 2020 14:38:14 GMT https://community.cisco.com/t5/network-security/asa-with-two-webvpn-interfaces/m-p/4015360#M23071 Pavel Pokorny 2020-01-21T14:38:14Z