I'm looking to create a group that will route all traffic over an SSL VPN rather than split tunnelling?
So far I've created the following:-
define group policy:
group-policy SSL_VPN_ALL attributes
Define tunnel group:
type remote-access tunnel-group SSL_VPN_ALL general-attributes
username test123 password test123 encrypted
username test123 attributes
group-lock value SSL_VPN_ALL
Attached is config. Any ideas on how to finish this off would be much appeciated.
To my understanding if you have not defined anything related to Split Tunnel or Full Tunnel then by default the VPN connection will tunnel all destination networks.
Usually you configure this under the "group-policy" that the "tunnel-group" uses with command "split-tunnel-policy tunnelall"
When the VPN Client is connected you should find a "Route Details" section which should show "0.0.0.0 0.0.0.0" in the "Secured Routes" portion.
Is the VPN Client connection working at all or is there some otherkind of problem?
Under group policy I've added :-
I'm happy with the above config but when I test this out using Cisco Anyconnect from my web browser I don't see the "SSL_VPN_ALL" group from the dropdown menu. I only get the "Employee_VPN" group instead.
I do have split-tunneling with another group called Employee_VPN which is more redstrcitive with acl's etc.
Employee_VPN conf below:
group-policy GroupPolicy_Employee-VPN internal
group-policy GroupPolicy_Employee-VPN attributes
dns-server value *.*.*.*
split-tunnel-network-list value sslvpn_split_tunnel
default-domain value test123.com
anyconnect profiles value employees_general type user
tunnel-group Employee-VPN type remote-access
tunnel-group Employee-VPN general-attributes
tunnel-group Employee-VPN webvpn-attributes
group-alias Employee-VPN enable
Any ideas on how to get anyconnect working with my test123 username
Thanks in advance.
I think you probably need to configure an equivalent configuration for the new VPN compared to the below setting
tunnel-group SSL_VPN_ALL webvpn-attributes
group-alias SSL_VPN_ALL enable
The name after "group-alias" can be something else also.
Here is the section of the ASA command reference explaining the use of this command.