Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2749
Views
0
Helpful
5
Replies

questions about DefaultWEBVPNGroup

elite2010
Level 3
Level 3

‎05-08-2017 11:50 AM - edited ‎03-12-2019 02:19 AM

Hi,

Q1.i have a tunnel group called test-grp .

tunnel-group test_grp general-attributes
address-pool test_pool
authentication-server-group ise
accounting-server-group ise
default-group-policy test_grouppolicy

After successful connection using anyconnect  , In session details I could see tunnelgroup is still  ' DefaultWEBVPNGroup'

and the grouppolicy associated with the session is 'test_grouppolicy'

Is it normal or  worst configuration 

I have disabled the option to choose the connection profile by the user .

So what about the group policy associated with connection profile 'DefaultWEBVPNGroup'

DefaultWEBVPNGroup's default group policy is currently 'DfltGrpPolicy'

2 ) If I want to create separate group policy  and associate with  DefaultWEBVPNGroup,In split tunnel acl and  vpn filter what are the ip's should be permitted (Want to strengthen maximum security without affecting operation ) 

3)What if I want to disable clientless vpn 

What is the differnces between  'a' and 'b'

a) tunnel-group TestConn1 type remote-access
tunnel-groupTestConn1 general-attributes

b) tunnel-group TestConn1 webvpn-attributes

Thanks

 

Labels:
0 Helpful
5 Replies 5

Ashish Jhaldiyal
Level 1
Level 1

‎05-08-2017 01:36 PM

If you disable tunnel-group list on ASA by default user will be assigned default VPN group " DefaultWEBVPNGroup" . I see for  DefaultWEBVPNGroup you are using an external authentication server, Are you sending group-policy name as test_grouppolicy from external authentication server?

You can create a new group policy with either split tunnel or tunnel all setting depending on your requirements. 

To disable clientless VPN under group policy attributes issue below command

 vpn-tunnel-protocol ssl-client

general attributes are used to configure authentication, accounting , address-pool etc related commands

webvpn-attributes are used to configure web VPN related commands like group-alias, group-url, etc.

Ashish

0 Helpful

elite2010
Level 3
Level 3
In response to Ashish Jhaldiyal

‎05-08-2017 01:57 PM

Hi,

Here is the  DefaultWEBVPNGroup tunnel details 

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ise

I have  vpn-tunnel-protocol ssl-client  enabled most of the tunnel group ,but still users can login to the portal 

Thanks

0 Helpful

Ashish Jhaldiyal
Level 1
Level 1
In response to elite2010

‎05-08-2017 02:11 PM

Change vpn-tunnel protocol in group policy.

0 Helpful

elite2010
Level 3
Level 3
In response to Ashish Jhaldiyal

‎05-08-2017 03:10 PM

Hi

 DefaultWEBVPNGroup" . I see for  DefaultWEBVPNGroup you are using an external authentication server, Are you sending group-policy name as test_grouppolicy from external authentication server?

Yes sending from ISE

"You can create a new group policy with either split tunnel or tunnel all setting depending on your requirements. "

my requirement user will use clientless connection to download the anyconnect client 

Thanks

0 Helpful

Ashish Jhaldiyal
Level 1
Level 1
In response to elite2010

‎05-08-2017 03:58 PM

you need to copy .pkg file from cisco.com download page into ASA's flash and you do following commands.

webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.2.01035-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.2.02075-k9.pkg 2
anyconnect enable

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card