Currently I am studying the documentation for the Cisco ASA ver 9.5. In studying the section VPN I faced with the following problem. In the configuration Cisco ASA has two default profile connection, the purpose of which I do not understand. It is DefaultRAGroup and DefaultWEBVPNGroup. The settings of these profiles contain three sections: general attributes, webvpn attributes and ipsec attributes. All parameters in each section for DefaultRAGroup and DefaultWEBVPNGroup profiles is set identically. Question: What is the purpose of these two profiles (DefaultRAGroup and DefaultWEBVPNGroup) and sections vebvpn-attributes and ipsets-attributes is in each profile.
The WebVPN Group will be for services which can use the WebVPN portal, such as AnyConnect
The DefaultRAGroup (Remote Access) is going to be for traditional IPSEC VPN
You can create group-policies which combine various settings
WebVPN atributes can be things like service profiles
Typically you will see IPSEC attributes defined under a tunnel group - things like the pre-shared key for example.
Here is an example with IPSEC, note how the group policy is referenced by the tunnel-group:
group-policy MY-VPN internal
group-policy MY-VPN attributes
address-pools value MY-IP-POOL
split-tunnel-network-list value VPN-SPLIT-TUNNEL-ACL
tunnel-group MY-VPN type ipsec-ra
tunnel-group MY-VPN general-attributes
tunnel-group MY-VPN ipsec-attributes
ikev1 pre-shared-key <your pre shared key>
Does this add some clarity?
Thanks for the answer. I would like to clarify the following. Suppose I have three types of VPN clients: Cisco VPN clients, Anyconnect clients and clientless SSL VPN (WebVPN) clients. Let's say I configure a tunnel group My-VPN. In this group I set up three sub-sections:
- general-attributes where I configure general settings for clients of types;
- ipsec-attributes where I configure settings for (I think so but I'm not sure) Cisco VPN clients and Anyconnect clients;
- webvpn-attributes where I configure settings for (I think so but I'm not sure) clientless SSL VPN (WebVPN) clients.
Please tell me whether I'm right or wrong with respect to binding VPN clients parameters (IPSec, AnyConnect and cleintless) to ipsec-attributes and webvpn-attributes of connection profile.
Thanks in advance.