Solved: Hi,

Cisco Freak · ‎05-26-2016

Hu Guys,

I want to disable the clientless VPN access in our ASA.

I saw this configuration in ASA:

webvpn
enable outside
enable inside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.0202-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.4.0202-k9.pkg 3
svc enable
tunnel-group-list enable

I disabled the Webvpn with 'no webvpn' command. But looks like it disabled the whole VPN access including clientless and with client.

Can anyone please help me with this?

CF

Aditya Ganjoo · ‎05-26-2016

Hi,

By default, you would not be able to access clientless VPN as you have enabled anyconnect-essentials in the config.

So if you need to disable webvpn access you need to allow only ssl-client protocol under group-policy config.

Check out this config:

ASA-SSLVPN(config)# group-poli

ASA-SSLVPN(config)# group-policy SSLVPN_ASA internal

ASA-SSLVPN(config)# group-policy SSLVPN_ASA attributes

ASA-SSLVPN(config-group-policy)# split-tunnel-policy tunnelspecified

ASA-SSLVPN(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL

ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ?

group-policy mode commands/options:

ikev1 IKE version 1

ikev2 IKE version 2

l2tp-ipsec L2TP using IPSec for security

ssl-client SSL VPN Client

ssl-clientless SSL Clientless VPN

ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ssl-client

But since you have anyconnect-essentials enabled under webvpn config you would have no access to clientless VPN.

It would only let you to access Anyconnect client services.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

Aditya Ganjoo · ‎05-26-2016

Hi,

By default, you would not be able to access clientless VPN as you have enabled anyconnect-essentials in the config.

So if you need to disable webvpn access you need to allow only ssl-client protocol under group-policy config.

Check out this config:

ASA-SSLVPN(config)# group-poli

ASA-SSLVPN(config)# group-policy SSLVPN_ASA internal

ASA-SSLVPN(config)# group-policy SSLVPN_ASA attributes

ASA-SSLVPN(config-group-policy)# split-tunnel-policy tunnelspecified

ASA-SSLVPN(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL

ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ?

group-policy mode commands/options:

ikev1 IKE version 1

ikev2 IKE version 2

l2tp-ipsec L2TP using IPSec for security

ssl-client SSL VPN Client

ssl-clientless SSL Clientless VPN

ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ssl-client

But since you have anyconnect-essentials enabled under webvpn config you would have no access to clientless VPN.

It would only let you to access Anyconnect client services.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Cisco Freak · ‎05-26-2016

Thanks Aditya!

Can you please share more details about 'anyconnect-essentials' command?

CF

Marvin Rhoads · ‎05-26-2016

The initial configuration you posted has the command "anyconnect-essentials".

The purpose of that command is to enable only the client-based AnyConnect remote access VPN. It disables the clientless sort that is licensed with the AnyConnect Premium (old name) or Apex (new name) license type.

Either method still provides a "home page" to login to the VPN. Thus they generally require "webvpn". (There is a method to use AnyConnect without SSL and instead use IKEv2 exclusively but we will not discuss that for now.)

The difference is with essentials, the home page serves only to authenticate you and launches the AnyConnect client software to manage the VPN connection. With premium, you have the option of also using the clientless VPN wherein there are resources (links to internal web pages, ability to browse file systems, launch RDP sessions on the remote network etc.) presented within the browser window once you've been authenticated.

Cisco Freak · ‎05-27-2016

Hi Rhodes,

When I check the sessions connected, I see connections are showing as clientless:

vpn# sh run webvpn
webvpn
enable outside
enable inside
anyconnect-essentials

vpn# sh vpn-sessiondb svc

Session Type: SVC

Username : x Index : 2082
Assigned IP : x.x.x.x Public IP : x.x.x.x
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : AES256 Hashing : SHA1
Bytes Tx : 197476233 Bytes Rx : 26429696

This is confusing!

CF

Aditya Ganjoo · ‎05-27-2016

Hi,

This is an expected behaviour.

If you launch Anyconnect via Web-launch you would see a Clientless tunnel being built:

Check this link:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html

Look for AnyConnect Connected via Web-launch example.

Hope it helps.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Cisco Freak · ‎05-30-2016

Thanks Aditya!

steve.miller · ‎03-06-2020

Under remote access VPN->Network Client Access->Group policies select the policy that is being used for your anyconnect profile and make sure under tunneling protocol you disable "Clientless SSL VPN" and enable SSL VPN Client, IPSEC v2 and L2TP/IPSEC. This will force your anyconnect client to use IPSEC instead of SSL. You can also verify under AnnyConnect Connection Profiles make sure only IPSEC access is enabled and not SSL. Also check the connection profile and verify it is using the correct group policy with Clientless SSL VPN disabled. Additionally you can check the box to shutdown portal page to completely close 443. Issueing the show asp table socket command you should not see 443 listening on your Outside interface.

Disabling clientless/browser based VPN.