Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
4
Helpful
3
Replies

Create a group that will route all networks across the SSL VPN instead of split tunneling

paulwoodsy
Level 1
Level 1

‎04-04-2013 02:08 PM

Hi,

I'm looking to create a group that will route all traffic over an SSL VPN rather than split tunnelling?

So far I've created the following:-

define group policy:

group-policy SSL_VPN_ALL attributes

vpn-tunnel-protocol svc

Define tunnel group:

tunnel-group SSL_VPN_ALL

type remote-access tunnel-group SSL_VPN_ALL general-attributes

address-pool sslvpn_pool1

default-group-policy SSL_VPN_ALL

User settings:

username test123 password test123 encrypted

username test123 attributes

vpn-group-policy SSL_VPN_ALL 

group-lock value SSL_VPN_ALL

service-type remote-access

Attached is config. Any ideas on how to finish this off would be much appeciated.

cheers

Labels:
15357815-ASA5545 running (1).log.zip
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-04-2013 02:17 PM

Hi,

To my understanding if you have not defined anything related to Split Tunnel or Full Tunnel then by default the VPN connection will tunnel all destination networks.

Usually you configure this under the "group-policy" that the "tunnel-group" uses with command "split-tunnel-policy tunnelall"

When the VPN Client is connected you should find a "Route Details" section which should show "0.0.0.0 0.0.0.0" in the "Secured Routes" portion.

Is the VPN Client connection working at all or is there some otherkind of problem?

- Jouni

paulwoodsy
Level 1
Level 1
In response to Jouni Forss

‎04-08-2013 04:31 AM

Thanks Jouni.

Under group policy I've added :-

split-tunnel-policy tunnelall      

split-tunnel-network-list none     

I'm happy with the above config but when I test this out using Cisco Anyconnect from my web browser I don't see the "SSL_VPN_ALL" group from the dropdown menu. I only get the "Employee_VPN" group instead.

I do have split-tunneling with another group called Employee_VPN which is more redstrcitive with acl's etc.

Employee_VPN conf below:

group-policy GroupPolicy_Employee-VPN internal

group-policy GroupPolicy_Employee-VPN attributes

wins-server none

dns-server value *.*.*.*

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sslvpn_split_tunnel

default-domain value test123.com

split-tunnel-all-dns disable

webvpn

  anyconnect profiles value employees_general type user

tunnel-group Employee-VPN type remote-access

tunnel-group Employee-VPN general-attributes

address-pool sslvpn_pool1

default-group-policy GroupPolicy_Employee-VPN

tunnel-group Employee-VPN webvpn-attributes

group-alias Employee-VPN enable

Any ideas on how to get anyconnect working with my test123 username

Thanks in advance.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to paulwoodsy

‎04-08-2013 05:37 AM

Hi,

I think you probably need to configure an equivalent configuration for the new VPN compared to the below setting

tunnel-group SSL_VPN_ALL webvpn-attributes

group-alias SSL_VPN_ALL enable

The name after "group-alias" can be something else also.

Here is the section of the ASA command reference explaining the use of this command.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/gh.html#wp1777333

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents