02-20-2016 02:14 AM
Hello!
Currently I am studying the documentation for the Cisco ASA ver 9.5. In studying the section VPN I faced with the following problem. In the configuration Cisco ASA has two default profile connection, the purpose of which I do not understand. It is DefaultRAGroup and DefaultWEBVPNGroup. The settings of these profiles contain three sections: general attributes, webvpn attributes and ipsec attributes. All parameters in each section for DefaultRAGroup and DefaultWEBVPNGroup profiles is set identically. Question: What is the purpose of these two profiles (DefaultRAGroup and DefaultWEBVPNGroup) and sections vebvpn-attributes and ipsets-attributes is in each profile.
Thank you.
02-20-2016 06:28 AM
Hi There,
The WebVPN Group will be for services which can use the WebVPN portal, such as AnyConnect
The DefaultRAGroup (Remote Access) is going to be for traditional IPSEC VPN
You can create group-policies which combine various settings
WebVPN atributes can be things like service profiles
Typically you will see IPSEC attributes defined under a tunnel group - things like the pre-shared key for example.
Here is an example with IPSEC, note how the group policy is referenced by the tunnel-group:
group-policy MY-VPN internal
group-policy MY-VPN attributes
vpn-tunnel-protocol ikev1
address-pools value MY-IP-POOL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL-ACL
tunnel-group MY-VPN type ipsec-ra
tunnel-group MY-VPN general-attributes
default-group-policy MY-VPN
tunnel-group MY-VPN ipsec-attributes
ikev1 pre-shared-key <your pre shared key>
Does this add some clarity?
02-20-2016 07:50 AM
Hello David,
Thanks for the answer. I would like to clarify the following. Suppose I have three types of VPN clients: Cisco VPN clients, Anyconnect clients and clientless SSL VPN (WebVPN) clients. Let's say I configure a tunnel group My-VPN. In this group I set up three sub-sections:
- general-attributes where I configure general settings for clients of types;
- ipsec-attributes where I configure settings for (I think so but I'm not sure) Cisco VPN clients and Anyconnect clients;
- webvpn-attributes where I configure settings for (I think so but I'm not sure) clientless SSL VPN (WebVPN) clients.
Please tell me whether I'm right or wrong with respect to binding VPN clients parameters (IPSec, AnyConnect and cleintless) to ipsec-attributes and webvpn-attributes of connection profile.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide