08-14-2015 01:08 PM - edited 02-21-2020 08:24 PM
Hi,
I have two ASA firewalls and running two VPNs - one for a clientless ssl webvpn and other for Anyconnect vpn . I am planning to combine these two VPNs Firewalls on a single ASA firewall. So this new firewall will be runnign both VPNs. Now looking at the current config I see these are the two global "webvpn" configurations. How can I combine these two on new firewall? How would these be differentiated?
Clientless SSL WebVPN ASA config:
webvpn
enable eth0
smart-tunnel list AllExternalApplications All-Applications * platform windows
smart-tunnel list WEBVPN GALAXY www.GALAXY.edu platform windows
Anyconnect VPN ASA config:
webvpn
enable eth0
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-64-3.1.09013-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 3
anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 4
anyconnect profiles ABC-PRIV disk0:/abc-priv.xml
anyconnect enable
tunnel-group-list enable
The "webvpn" config in the group-policy should be fine, I think, as there will be separate group policies for each. is tehre any other area of config that may have some conflicts/issues combining the two types of vpns?
08-14-2015 02:27 PM
Yes, I believe you're right - I was just doing something similar on a client's ASA.
The group-policies will have one or the other vpn-tunnel-protocol method applied as an attribute.
I used the convention of giving each group-alias in the tunnel-group (connection profile) section a meaningful name to indicate clientless vs. AnyConnect client-based
08-14-2015 02:54 PM
hi Marvin, so it should be ok to combine these two under single "webvpn" global config? SOmething like this ...?
webvpn
enable eth0
smart-tunnel list AllExternalApplications All-Applications * platform windows
smart-tunnel list WEBVPN GALAXY www.GALAXY.edu platform windows
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 1
anyconnect profiles ABC-PRIV disk0:/abc-priv.xml
anyconnect enable
tunnel-group-list enable
08-14-2015 08:56 PM
All except the "anyconnect-essentials" should be OK. That one disables any Premium licenses on the appliance.
You must use the Premium license in order to use the clientless features.
It's not a problem since all of the features available in the Essentials license are also available in Premium
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: