Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
5
Replies

ASA IPSEC vs SSL VPN

Go to solution
arrayservices
Level 1
Level 1

‎07-29-2013 09:12 AM - edited ‎02-21-2020 07:03 PM

Good morning all-

I am working on an ASA 5510, running version 8.4. I am attempting something which I imagine would be straight forward, but having some issues.

I am configuring connection profiles for both client and clientless VPN on the ASA. I would like the client profiles (will be used with anyconnect by our internal employees) to have the ability to select the connection profile on the login page. I am creating a subnet per business unit and using policies to restrict access to various servers.This radio button appears under the remote vpn page in the ASDM, I select it and problem solved, they see a drop down box when using the anyconnect client, select one and the appropriate IP pool is assigned.

Now, when I configure the clientless profiles (to be used by our external business clients), I do not want them to have the ability to select a profile. Atleast not the ability to see all the internal profiles I have created for our internal employees. It appears by selecting to enable this option within the "client access", it also enables it for the "clientless access". What am I missing in how I can prevent our external empoyees via SSL, from seeing the profiles I've created for our internal employees via the drop down box? As I hinted to above, I am using the ASDM.

Any help would be appreciated-

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jose.vieira525
Level 1
Level 1

‎07-29-2013 01:45 PM

Hi

Unfortunately that will not be possible since when you enable the option for users to select the connection profile it will be available for all connections. If this is not enabled the default policy will be selected so it is a must option to have selected.
What you can do is to create a group URL and mapped it to a specific connection profile so when users type in the full URL e.g https://my domain.com/external it will take the user straight to the specific connection profile.

The down size of this setup is that if anyone types in the URL without the group URL it will be taken to the default profile and can see the drop down box with all the connection profiles.


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jose.vieira525
Level 1
Level 1

‎07-29-2013 01:45 PM

Hi

Unfortunately that will not be possible since when you enable the option for users to select the connection profile it will be available for all connections. If this is not enabled the default policy will be selected so it is a must option to have selected.
What you can do is to create a group URL and mapped it to a specific connection profile so when users type in the full URL e.g https://my domain.com/external it will take the user straight to the specific connection profile.

The down size of this setup is that if anyone types in the URL without the group URL it will be taken to the default profile and can see the drop down box with all the connection profiles.


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
arrayservices
Level 1
Level 1
In response to jose.vieira525

‎07-29-2013 02:21 PM

Jose,

Thank you for the information, I do see what you are referring to and was able to get this working. If this is the only option, I will go with it.

Thanks again-

Brian

0 Helpful

Go to solution
arrayservices
Level 1
Level 1
In response to arrayservices

‎07-29-2013 02:30 PM

Jose-

One other question, if I were to send external clients in through https://remote.domain.com/access and keep all internal employees at https://remote.domain.com, how would I prevent external clients from logging in to the specific profiles if they were to find the /access subdomain? Can I select which users are allowed to login to each profile?

Brian

0 Helpful

Go to solution
jose.vieira525
Level 1
Level 1
In response to arrayservices

‎07-29-2013 03:09 PM

Hi

You can use the dynamic access policies to manage the access by connection profile and also other values. For example you can have one connection profile but use AD groups for each department and within each dynamic access policy you can always create access controls and assign bookmarks.

Please note that dynamic access policies are a very powerful and useful tool but requires more caution when implementing since criteria that match different DAP's will be assigned to that connection and sometimes you end up allowing or blocking traffic by mistake.

If you need more information please let me know



Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
arrayservices
Level 1
Level 1
In response to jose.vieira525

‎07-29-2013 08:22 PM

Jose-

You've been a great help, thank you for clearing these questions up for me.

Brian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents