cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
160
Views
0
Helpful
2
Replies
Highlighted
Beginner

Cisco ASA 5500-X connection profile

Hello!
Currently I am studying the documentation for the Cisco ASA ver 9.5. In studying the section VPN I faced with the following problem. In the configuration Cisco ASA has two default profile connection, the purpose of which I do not understand. It is DefaultRAGroup and DefaultWEBVPNGroup. The settings of these profiles contain three sections: general attributes, webvpn attributes and ipsec attributes. All parameters in each section for DefaultRAGroup and DefaultWEBVPNGroup profiles is set identically. Question: What is the purpose of these two profiles (DefaultRAGroup and DefaultWEBVPNGroup) and sections vebvpn-attributes and ipsets-attributes is in each profile.
Thank you.

2 REPLIES 2
Highlighted
Beginner

Hi There,

Hi There,

The WebVPN Group will be for services which can use the WebVPN portal, such as AnyConnect

The DefaultRAGroup (Remote Access) is going to be for traditional IPSEC VPN

You can create group-policies which combine various settings

WebVPN atributes can be things like service profiles

Typically you will see  IPSEC attributes  defined under a tunnel group -  things like the pre-shared key for example.

Here is an example with IPSEC, note how the group policy is referenced by the tunnel-group:

group-policy MY-VPN internal
group-policy MY-VPN attributes
 vpn-tunnel-protocol ikev1
 address-pools value MY-IP-POOL
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SPLIT-TUNNEL-ACL
 
tunnel-group MY-VPN type ipsec-ra
tunnel-group MY-VPN general-attributes
 default-group-policy MY-VPN
tunnel-group MY-VPN ipsec-attributes
 ikev1 pre-shared-key <your pre shared key>

Does this add some clarity?

Highlighted
Beginner

Hello David,

Hello David,

Thanks for the answer. I would like to clarify the following. Suppose I have three types of VPN clients: Cisco VPN clients, Anyconnect clients and clientless SSL VPN (WebVPN) clients. Let's say I configure a tunnel group My-VPN. In this group I set up three sub-sections:

- general-attributes where I configure general settings for clients of types;

- ipsec-attributes where I configure settings for (I think so but I'm not sure) Cisco VPN clients and Anyconnect clients;

- webvpn-attributes where I configure settings for (I think so but I'm not sure) clientless SSL VPN (WebVPN) clients.

Please tell me whether I'm right or wrong with respect to binding VPN clients parameters (IPSec, AnyConnect and cleintless) to ipsec-attributes and webvpn-attributes of connection profile.

Thanks in advance.