08-14-2015 01:08 PM - edited 02-21-2020 08:24 PM
Hi,
I have two ASA firewalls and running two VPNs - one for a clientless ssl webvpn and other for Anyconnect vpn . I am planning to combine these two VPNs Firewalls on a single ASA firewall. So this new firewall will be runnign both VPNs. Now looking at the current config I see these are the two global "webvpn" configurations. How can I combine these two on new firewall? How would these be differentiated?
Clientless SSL WebVPN ASA config:
webvpn
enable eth0
smart-tunnel list AllExternalApplications All-Applications * platform windows
smart-tunnel list WEBVPN GALAXY www.GALAXY.edu platform windows
Anyconnect VPN ASA config:
webvpn
enable eth0
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-64-3.1.09013-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 3
anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 4
anyconnect profiles ABC-PRIV disk0:/abc-priv.xml
anyconnect enable
tunnel-group-list enable
The "webvpn" config in the group-policy should be fine, I think, as there will be separate group policies for each. is tehre any other area of config that may have some conflicts/issues combining the two types of vpns?
08-14-2015 02:27 PM
Yes, I believe you're right - I was just doing something similar on a client's ASA.
The group-policies will have one or the other vpn-tunnel-protocol method applied as an attribute.
I used the convention of giving each group-alias in the tunnel-group (connection profile) section a meaningful name to indicate clientless vs. AnyConnect client-based
08-14-2015 02:54 PM
hi Marvin, so it should be ok to combine these two under single "webvpn" global config? SOmething like this ...?
webvpn
enable eth0
smart-tunnel list AllExternalApplications All-Applications * platform windows
smart-tunnel list WEBVPN GALAXY www.GALAXY.edu platform windows
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 1
anyconnect profiles ABC-PRIV disk0:/abc-priv.xml
anyconnect enable
tunnel-group-list enable
08-14-2015 08:56 PM
All except the "anyconnect-essentials" should be OK. That one disables any Premium licenses on the appliance.
You must use the Premium license in order to use the clientless features.
It's not a problem since all of the features available in the Essentials license are also available in Premium
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide