Thanks a lot Gustavo. Couple of days back I was searching thourgh NetPro forum for this and I found the solution which is almost like this one. Thanks you very much for posting this to me which is very exact to my configuration.

However, I really didn't understand this solution completly. As per my understanding, if we have LDAP-Attribute-MAP and if we do not assign NO-ACCESS policy to PROFILE then ---> SSL VPN will authenticate user who are matched via LDAP-Attribute-MAP + all the user on that LDAP server.... thats what I found out. In order to allow only the LDAP-Attribute-MAP user ---> we need that NO-ACCESS...isn't it??

I also have some more queries. If you could have some time and answer my queries, it would be very helpful for me.

1) Should I assign POOL IP for SSL user. What would be the pros/cons if I use or not use it? I mean what would be the scalable solution for future regarding use/ not user POOL IP for SSL user.

2) Can I use 2 or mor LDAP server for redandency?

3) Can you give me an idea with an example when do I need different PROFILE for SSL VPN?

4) What is the exact requirement of SMART TUNNEL?

It would be helpful If you can give me some idea about my queries. Thanks again for you answer.

BR//

Adnan

You got it! what happens is that the attribute-mapping takes precedence over what you define as the "default-group-policy" under the tunnel-group but if a user comes in and does not hit any of the map-values you previously defined on the mapping then it will fall back to the "default-group-policy".

In your case even when users were not hitting this:

map-value memberOf "CN=IT DBA,OU=abcxyz,DC=abcxyz,DC=com" WEB-VPN-TEST2

They still had:

tunnel-group WEB-VPN-TEST-PROFILE2 general-attributes

default-group-policy WEB-VPN-TEST2

So they were able to get that group-policy, with the new config you implemented just the users that hit the map-value will get that group-policy if a user has a different memberOf it will fallback to the NOACCESS group which has vpn-simultaneous logins 0 and the connection will not be allowed.

1) SSL users (clientless) do not require a pool as the ASA is not assigning any IP to them but just acting as a proxy and re-writing all the information from the client that is using the WebVPN Portal in order to reach internal resources. That's why WebVPN users don't have full IP connectivity. On the other hand if you want to use the Anyconnect Secure Mobility Client then this will behave just like the legacy VPN client and will require an IP address to be assigned by the headend so it can have full ip connectivity to your internal network.

2) Absolutely, all you nee to to is to define more hosts on the same aaa-server config.

3) Not sure about the question, do you mean that why would you use more than one connection profile for ssl? well it depends on your requirements you for example some users need to have certificate authentication and some other maybe need to authenticate just via ldap. Many reasons...

4-) Like I said above, when using clientless the ASA acts as a proxy and re-writes all the information as it goes through it, some applications have some issues with this re-write process so the smart-tunnel does like a direct connection between the client and the application bypassing some re-write processes.

Hope this helps...

Dear Gustavo,

Thanks a lot for answering my queries. I understand your explanation 1, 2 and 4, and it was really helpful for me. However regarding 3, what I mean and what I am trying to achieve is explained below,

We are only authenticating our user via LDAP server and no authorization from LDAP. There are several groups (DBA, SYSTEM, TECHNICAL, NETWORKS, HR, FINANCE etc) and we want to give different access to different groups of people.

For this I create 2 groups in LDAP and 2 groups in ASA. Later I bind the LDAP group with ASA using LDAP-Attribute-MAP. I am still using the same Connection-Profile (WEB-VPN-TEST2) and bind NOACCESS group policy as its default policy. User in group1 can access to only group1 and user in group2 can access only group2. It is working fine so far. Below is what I have done,-

User == LDAP GROUP == ASA GROUP == BOOKMARK == WEBACL == CUSTOMIZATION

User1 = LDAPGRP1 == ASAGRP1 == BM1 =========== WEBACL1 == CUST1

User2 = LDAPGRP2 == ASAGRP2 == BM2 =========== WEBACL2 == CUST2

Please suggest me if it is the best practice to follow to meet my requirement or is there any other easy/better way to do it.

I also have some few queries (it might sound silly) to you,

5) What is the preference between WEBACL & Bookmark? or What is the exact relation between them?

6) Some user wants to use SecureShell, Reflection, Todd tools. Is there any way to integrate them as plugin?

7) When using via LAN some of my application allow us login automatically? How can I achieve this?? Can I achieve this via SSO? If not then how we can implement this facilities?

I would be glad if you can share me you suggestions or opinion regarding this. Thanks for you r cordial support so far. Thanks again.

BR//

Adnan

No problem Adnan,

Actually yes that's a really good practice, to have  just one tunnel-group and multiple group-policies that get assigned to  the users depending on one of his ldap attributes, "memberOf" in your  case.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml.

You  can also use Dynamic Access Policies (DAP) which is more flexible to  assign different values to the users such as WebACLs, Bookmarks but with  DAP you don't have all the values to assign that you have with a  Group-Policy, there is an enhancement request for this and probably with  the next generation of DAP will include all the group-policy  attributes.

http://www.cisco.com/en/US/partner/products/ps6120/products_white_paper09186a00809fcf38.shtml

5) There is no preference, Web Access control lists  filter internet  traffic for clientless users. The ACLs table displays  the filters  configured on the security appliance and the access control  entries  (ACEs) for each ACL. Each ACL permits or denies access to  specific  networks, subnets, hosts, and web servers; the ACE specifies  one rule  for the ACL. If you have a bookmark to an specific weppage for  example and that webpage is denied by a WebACL then the bookmark will  be grayed out.

6) All 3rd-party plugins must be re-packaged before  they can be imported  and used by the ASA. For plugins not requiring  licensing  and which can be distributed (RDP,  VNC, and SSH,telnet),  Cisco  will pre-package these and make them  available on cisco.com.  Other plugins are not supported, but you cans use Smart-Tunnel for the  applications you need, not sure what those apps you mention are but prob  you can use a smart-tunnel for that application process.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1127377

7) Yes, most likely you can use Auto-signon to pass the webportal credentials to these applications.

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/vpn_asdm_clientless_ssl.html#wp1053542

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1021966

Regards,