07-29-2013 09:12 AM - edited 02-21-2020 07:03 PM
Good morning all-
I am working on an ASA 5510, running version 8.4. I am attempting something which I imagine would be straight forward, but having some issues.
I am configuring connection profiles for both client and clientless VPN on the ASA. I would like the client profiles (will be used with anyconnect by our internal employees) to have the ability to select the connection profile on the login page. I am creating a subnet per business unit and using policies to restrict access to various servers.This radio button appears under the remote vpn page in the ASDM, I select it and problem solved, they see a drop down box when using the anyconnect client, select one and the appropriate IP pool is assigned.
Now, when I configure the clientless profiles (to be used by our external business clients), I do not want them to have the ability to select a profile. Atleast not the ability to see all the internal profiles I have created for our internal employees. It appears by selecting to enable this option within the "client access", it also enables it for the "clientless access". What am I missing in how I can prevent our external empoyees via SSL, from seeing the profiles I've created for our internal employees via the drop down box? As I hinted to above, I am using the ASDM.
Any help would be appreciated-
Brian
Solved! Go to Solution.
07-29-2013 01:45 PM
Hi
Unfortunately that will not be possible since when you enable the option for users to select the connection profile it will be available for all connections. If this is not enabled the default policy will be selected so it is a must option to have selected.
What you can do is to create a group URL and mapped it to a specific connection profile so when users type in the full URL e.g https://my domain.com/external it will take the user straight to the specific connection profile.
The down size of this setup is that if anyone types in the URL without the group URL it will be taken to the default profile and can see the drop down box with all the connection profiles.
Sent from Cisco Technical Support iPad App
07-29-2013 01:45 PM
Hi
Unfortunately that will not be possible since when you enable the option for users to select the connection profile it will be available for all connections. If this is not enabled the default policy will be selected so it is a must option to have selected.
What you can do is to create a group URL and mapped it to a specific connection profile so when users type in the full URL e.g https://my domain.com/external it will take the user straight to the specific connection profile.
The down size of this setup is that if anyone types in the URL without the group URL it will be taken to the default profile and can see the drop down box with all the connection profiles.
Sent from Cisco Technical Support iPad App
07-29-2013 02:21 PM
Jose,
Thank you for the information, I do see what you are referring to and was able to get this working. If this is the only option, I will go with it.
Thanks again-
Brian
07-29-2013 02:30 PM
Jose-
One other question, if I were to send external clients in through https://remote.domain.com/access and keep all internal employees at https://remote.domain.com, how would I prevent external clients from logging in to the specific profiles if they were to find the /access subdomain? Can I select which users are allowed to login to each profile?
Brian
07-29-2013 03:09 PM
Hi
You can use the dynamic access policies to manage the access by connection profile and also other values. For example you can have one connection profile but use AD groups for each department and within each dynamic access policy you can always create access controls and assign bookmarks.
Please note that dynamic access policies are a very powerful and useful tool but requires more caution when implementing since criteria that match different DAP's will be assigned to that connection and sometimes you end up allowing or blocking traffic by mistake.
If you need more information please let me know
Sent from Cisco Technical Support iPad App
07-29-2013 08:22 PM
Jose-
You've been a great help, thank you for clearing these questions up for me.
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide