Cisco ASA Clientless SSL VPN Apply Tunnel Group

a.mirkhan562345 · ‎11-22-2021

I'm trying to implement the answer from a previous question I've asked (Cisco ASA Clientless SSL VPN Restrict Network Access)

My ultimate aim is to set up an SSL VPN on a Cisco ASA device to allow access to a specific DMZ area for clients of an imaginary company (uni project).

I've added the below lines to the config but I'm stuck with how to "apply" or "enable" this tunnel group separately from the default webvpn enabled in the first lines. Do I apply it to the outside interface somehow, or is it something to do with the IP Address/URL that the user uses to access the service?

webvpn
enable outside
exit

access-list CLIENT-VPN-LIST extended permit tcp object net-outside object net-dmz-client-server eq 3389
access-list CLIENT-VPN-LIST extended deny ip any any

group-policy CLIENT-VPN-POLICY internal
group-policy CLIENT-VPN-POLICY attributes
vpn-filter value CLIENT-VPN-LIST

tunnel-group CLIENT-VPN-GROUP type webvpn
tunnel-group CLIENT-VPN-GROUP general-attributes
authorization-required
default-group-policy CLIENT-VPN-POLICY

Edited to remove various outputs requested to help me get things correct that will only make this question confusing.

OLANSIAR

Rob Ingram · ‎11-22-2021

Hi @a.mirkhan562345 there are a couple of different ways to do this.

You could either use a group-url or group-alias and get the users to select which tunnel group to connect to. Examples of both:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html