04-04-2013 02:08 PM
Hi,
I'm looking to create a group that will route all traffic over an SSL VPN rather than split tunnelling?
So far I've created the following:-
define group policy:
group-policy SSL_VPN_ALL attributes
vpn-tunnel-protocol svc
Define tunnel group:
tunnel-group SSL_VPN_ALL
type remote-access tunnel-group SSL_VPN_ALL general-attributes
address-pool sslvpn_pool1
default-group-policy SSL_VPN_ALL
User settings:
username test123 password test123 encrypted
username test123 attributes
vpn-group-policy SSL_VPN_ALL
group-lock value SSL_VPN_ALL
service-type remote-access
Attached is config. Any ideas on how to finish this off would be much appeciated.
cheers
04-04-2013 02:17 PM
Hi,
To my understanding if you have not defined anything related to Split Tunnel or Full Tunnel then by default the VPN connection will tunnel all destination networks.
Usually you configure this under the "group-policy" that the "tunnel-group" uses with command "split-tunnel-policy tunnelall"
When the VPN Client is connected you should find a "Route Details" section which should show "0.0.0.0 0.0.0.0" in the "Secured Routes" portion.
Is the VPN Client connection working at all or is there some otherkind of problem?
- Jouni
04-08-2013 04:31 AM
Thanks Jouni.
Under group policy I've added :-
split-tunnel-policy tunnelall
split-tunnel-network-list none
I'm happy with the above config but when I test this out using Cisco Anyconnect from my web browser I don't see the "SSL_VPN_ALL" group from the dropdown menu. I only get the "Employee_VPN" group instead.
I do have split-tunneling with another group called Employee_VPN which is more redstrcitive with acl's etc.
Employee_VPN conf below:
group-policy GroupPolicy_Employee-VPN internal
group-policy GroupPolicy_Employee-VPN attributes
wins-server none
dns-server value *.*.*.*
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sslvpn_split_tunnel
default-domain value test123.com
split-tunnel-all-dns disable
webvpn
anyconnect profiles value employees_general type user
tunnel-group Employee-VPN type remote-access
tunnel-group Employee-VPN general-attributes
address-pool sslvpn_pool1
default-group-policy GroupPolicy_Employee-VPN
tunnel-group Employee-VPN webvpn-attributes
group-alias Employee-VPN enable
Any ideas on how to get anyconnect working with my test123 username
Thanks in advance.
04-08-2013 05:37 AM
Hi,
I think you probably need to configure an equivalent configuration for the new VPN compared to the below setting
tunnel-group SSL_VPN_ALL webvpn-attributes
group-alias SSL_VPN_ALL enable
The name after "group-alias" can be something else also.
Here is the section of the ASA command reference explaining the use of this command.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/gh.html#wp1777333
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide