Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1374
Views
0
Helpful
6
Replies

Few questions about ASA ssl vpn

Go to solution
SDKIM
Level 1
Level 1

‎11-15-2017 11:52 PM - edited ‎03-12-2019 04:44 AM

Hello,

 

I got a few requests from the customer and i also thought that these are impossible to be done.

But I just want to get confirmations from the experts staying here :)

1. Per user based the firewall feature : Client wants to apply the firewall policies per each ssl vpn local users.

2. Two different domains to access two different ssl connection profiles(SSL connection through the web browser) : For example, https://user.vpn.com >> user profile, https://adm.vpn.com >> adm profile.

 

Kindly request you to confirm these items.

Thanks in advance, Good luck!!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SDKIM

‎11-17-2017 01:58 AM

You don't need a new top-level URL. You can create a new connection profile for admins and give it a Group URL but NOT a connection alias. (The connection alias is what appears in the drop down list.)

 

It will thus be effectively "hidden" and when the admin users go to, for instance, https://user.vpn.com/it_admin they will be connected automatically to the alternate connection profile.

View solution in original post

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to SDKIM

‎11-17-2017 02:30 AM

If you want to have 2 URLs pointing to 2 different IPs, you will have to have 2 IPs on the ASA and you are right, ASA does not support secondary IP.

You could have the 2 names pointing to the same IP, configure a tunnel-group for each url and configure the url with group-url. If you don't configure the tunnel with group-alias it will not appear in the drop down list.

If you have certificates on the ASA, you will need a certificate with both URLs, but then both URLs will be visible. You can get around this if you use the names slightly different: vpn.com/user and vpn.com/admin.

This way the certificate will have to be issued only to vpn.com.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎11-16-2017 02:21 AM

1. Had the same request once, but with AD users. We used IDFW and we configured ACLs with AD users as source. I do not think it can be done for local users.

2. Not sure if I understood the question or I am missing something. Couldn't you have 2 tunnel-groups with different group-url ?

0 Helpful

Go to solution
SDKIM
Level 1
Level 1
In response to Bogdan Nita

‎11-16-2017 03:24 PM

Thanks for your reply.

Regarding the question 2, Currently I have 1 SSL vpn connection profile(Site to client) for the user access, then user would be able to access through the web browser with the certain URL, ex, https://user.vpn.com, otherwise also would be able to access through the anyconnect client software with ASA outside ip address.

Now client wants to add one more SSL vpn connection profile only for the admin and he wants to use the different URL such as https://adm.vpn.com. My understanding is that to use the different URL, ASA needs to have secondary outside ip address and this ip address should be registered on DNS server with the different URL. In this case, ASA also can sync up this secondary ip address with the new connection profile. And as far as I know, ASA doesn't support the secondary ip address on the outside interface.

 

Please let me know if there is any misunderstading.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SDKIM

‎11-17-2017 01:58 AM

You don't need a new top-level URL. You can create a new connection profile for admins and give it a Group URL but NOT a connection alias. (The connection alias is what appears in the drop down list.)

 

It will thus be effectively "hidden" and when the admin users go to, for instance, https://user.vpn.com/it_admin they will be connected automatically to the alternate connection profile.

0 Helpful

Go to solution
SDKIM
Level 1
Level 1
In response to Marvin Rhoads

‎11-19-2017 03:29 PM

Appreciate your great help!!

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to SDKIM

‎11-17-2017 02:30 AM

If you want to have 2 URLs pointing to 2 different IPs, you will have to have 2 IPs on the ASA and you are right, ASA does not support secondary IP.

You could have the 2 names pointing to the same IP, configure a tunnel-group for each url and configure the url with group-url. If you don't configure the tunnel with group-alias it will not appear in the drop down list.

If you have certificates on the ASA, you will need a certificate with both URLs, but then both URLs will be visible. You can get around this if you use the names slightly different: vpn.com/user and vpn.com/admin.

This way the certificate will have to be issued only to vpn.com.

0 Helpful

Go to solution
SDKIM
Level 1
Level 1
In response to Bogdan Nita

‎11-19-2017 03:31 PM

Appreciate your great help!!
0 Helpful
Customers Also Viewed These Support Documents