Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
2
Replies

Cisco ASA 5500-X connection profile

v-romanchuk
Level 1
Level 1

‎02-20-2016 02:14 AM

Hello!
Currently I am studying the documentation for the Cisco ASA ver 9.5. In studying the section VPN I faced with the following problem. In the configuration Cisco ASA has two default profile connection, the purpose of which I do not understand. It is DefaultRAGroup and DefaultWEBVPNGroup. The settings of these profiles contain three sections: general attributes, webvpn attributes and ipsec attributes. All parameters in each section for DefaultRAGroup and DefaultWEBVPNGroup profiles is set identically. Question: What is the purpose of these two profiles (DefaultRAGroup and DefaultWEBVPNGroup) and sections vebvpn-attributes and ipsets-attributes is in each profile.
Thank you.

Labels:
0 Helpful
2 Replies 2

David99
Level 1
Level 1

‎02-20-2016 06:28 AM

Hi There,

The WebVPN Group will be for services which can use the WebVPN portal, such as AnyConnect

The DefaultRAGroup (Remote Access) is going to be for traditional IPSEC VPN

You can create group-policies which combine various settings

WebVPN atributes can be things like service profiles

Typically you will see  IPSEC attributes  defined under a tunnel group -  things like the pre-shared key for example.

Here is an example with IPSEC, note how the group policy is referenced by the tunnel-group:

group-policy MY-VPN internal
group-policy MY-VPN attributes
 vpn-tunnel-protocol ikev1
 address-pools value MY-IP-POOL
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SPLIT-TUNNEL-ACL
  
tunnel-group MY-VPN type ipsec-ra
tunnel-group MY-VPN general-attributes
 default-group-policy MY-VPN
tunnel-group MY-VPN ipsec-attributes
 ikev1 pre-shared-key <your pre shared key>

Does this add some clarity?

0 Helpful

v-romanchuk
Level 1
Level 1
In response to David99

‎02-20-2016 07:50 AM

Hello David,

Thanks for the answer. I would like to clarify the following. Suppose I have three types of VPN clients: Cisco VPN clients, Anyconnect clients and clientless SSL VPN (WebVPN) clients. Let's say I configure a tunnel group My-VPN. In this group I set up three sub-sections:

- general-attributes where I configure general settings for clients of types;

- ipsec-attributes where I configure settings for (I think so but I'm not sure) Cisco VPN clients and Anyconnect clients;

- webvpn-attributes where I configure settings for (I think so but I'm not sure) clientless SSL VPN (WebVPN) clients.

Please tell me whether I'm right or wrong with respect to binding VPN clients parameters (IPSec, AnyConnect and cleintless) to ipsec-attributes and webvpn-attributes of connection profile.

Thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents