05-08-2017 11:50 AM - edited 03-12-2019 02:19 AM
Hi,
Q1.i have a tunnel group called test-grp .
tunnel-group test_grp general-attributes
address-pool test_pool
authentication-server-group ise
accounting-server-group ise
default-group-policy test_grouppolicy
After successful connection using anyconnect , In session details I could see tunnelgroup is still ' DefaultWEBVPNGroup'
and the grouppolicy associated with the session is 'test_grouppolicy'
Is it normal or worst configuration
I have disabled the option to choose the connection profile by the user .
So what about the group policy associated with connection profile 'DefaultWEBVPNGroup'
DefaultWEBVPNGroup's default group policy is currently 'DfltGrpPolicy'
2 ) If I want to create separate group policy and associate with DefaultWEBVPNGroup,In split tunnel acl and vpn filter what are the ip's should be permitted (Want to strengthen maximum security without affecting operation )
3)What if I want to disable clientless vpn
What is the differnces between 'a' and 'b'
a) tunnel-group TestConn1 type remote-access
tunnel-groupTestConn1 general-attributes
b) tunnel-group TestConn1 webvpn-attributes
Thanks
05-08-2017 01:36 PM
If you disable tunnel-group list on ASA by default user will be assigned default VPN group " DefaultWEBVPNGroup" . I see for DefaultWEBVPNGroup you are using an external authentication server, Are you sending group-policy name as test_grouppolicy from external authentication server?
You can create a new group policy with either split tunnel or tunnel all setting depending on your requirements.
To disable clientless VPN under group policy attributes issue below command
vpn-tunnel-protocol ssl-client
general attributes are used to configure authentication, accounting , address-pool etc related commands
webvpn-attributes are used to configure web VPN related commands like group-alias, group-url, etc.
Ashish
05-08-2017 01:57 PM
Hi,
Here is the DefaultWEBVPNGroup tunnel details
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ise
I have vpn-tunnel-protocol ssl-client enabled most of the tunnel group ,but still users can login to the portal
Thanks
05-08-2017 02:11 PM
Change vpn-tunnel protocol in group policy.
05-08-2017 03:10 PM
Hi
DefaultWEBVPNGroup" . I see for DefaultWEBVPNGroup you are using an external authentication server, Are you sending group-policy name as test_grouppolicy from external authentication server?
Yes sending from ISE
"You can create a new group policy with either split tunnel or tunnel all setting depending on your requirements. "
my requirement user will use clientless connection to download the anyconnect client
Thanks
05-08-2017 03:58 PM
you need to copy .pkg file from cisco.com download page into ASA's flash and you do following commands.
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.2.01035-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.2.02075-k9.pkg 2
anyconnect enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide