Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
3
Replies

combining Anyconnect and clientless ssl webvpn

S891
Level 2
Level 2

‎08-14-2015 01:08 PM - edited ‎02-21-2020 08:24 PM

Hi,

I have two ASA firewalls and running two VPNs - one for a clientless ssl webvpn and other for Anyconnect vpn . I am planning to combine these two VPNs Firewalls on a single ASA firewall. So this new firewall will be runnign both VPNs. Now looking at the current config I see these are the two global "webvpn" configurations. How can I combine these two on new firewall? How would these be differentiated?

Clientless SSL WebVPN ASA config:

webvpn
 enable eth0
 smart-tunnel list AllExternalApplications All-Applications * platform windows
 smart-tunnel list WEBVPN GALAXY www.GALAXY.edu platform windows

 

Anyconnect VPN ASA config:

webvpn        
 enable eth0  
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-64-3.1.09013-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 3
 anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 4
 anyconnect profiles ABC-PRIV disk0:/abc-priv.xml
 anyconnect enable
 tunnel-group-list enable

 

The "webvpn" config in the group-policy should be fine, I think, as there will be separate group policies for each. is tehre any other area of config that may have some conflicts/issues combining the two types of vpns?

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-14-2015 02:27 PM

Yes, I believe you're right - I was just doing something similar on a client's ASA.

The group-policies will have one or the other vpn-tunnel-protocol method applied as an attribute.

I used the convention of giving each group-alias in the tunnel-group (connection profile) section a meaningful name to indicate clientless vs. AnyConnect client-based

0 Helpful

S891
Level 2
Level 2
In response to Marvin Rhoads

‎08-14-2015 02:54 PM

hi Marvin, so it should be ok to combine these two under single "webvpn" global config? SOmething like this ...?

webvpn
 enable eth0
 smart-tunnel list AllExternalApplications All-Applications * platform windows
 smart-tunnel list WEBVPN GALAXY www.GALAXY.edu platform windows
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 1
 anyconnect profiles ABC-PRIV disk0:/abc-priv.xml
 anyconnect enable
 tunnel-group-list enable

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to S891

‎08-14-2015 08:56 PM

All except the "anyconnect-essentials" should be OK. That one disables any Premium licenses on the appliance.

You must use the Premium license in order to use the clientless features.

It's not a problem since all of the features available in the Essentials license are also available in Premium

0 Helpful
Customers Also Viewed These Support Documents