12-06-2023 12:18 AM
Hi All ,
I try to disable tunnel-group DefaultWEBVPNGroup but still not found .
My scenario is
I have 2 tunnel-group
URL : https://x.x.x.x/group-1
URL : https://x.x.x.x/group-2
Incase if client connect https://x.x.x.x without / name of group he will go to tunnel group DefaultWEBVPNGroup
I will find the solution for disable this .
Solved! Go to Solution.
12-06-2023 02:37 AM
The only I mentioned above, using noaccess under the tunnel DefaultWEBVPNGroup
This group policy have 0 login so he never access.
MHM
12-06-2023 12:24 AM - edited 12-06-2023 12:29 AM
Share the config of asa let me check it
I think you need here noaccess to drop any remote access user not in specific group
group-policy NOACCESS internal group-policy NOACCESS attributes vpn-simultaneous-logins 0 vpn-tunnel-protocol IPSec webvpn
MHM
12-06-2023 12:29 AM
Do you want for all configuration or specific part of configuration ?
12-06-2023 12:32 AM
Check noaccess group if not work then share config.
I think it will work fine for your case
MHM
12-06-2023 12:46 AM
@MHM Cisco World
I send configuration to private message . Please check .
For noacces group it not wok.
12-06-2023 01:03 AM - edited 12-06-2023 01:34 AM
MHM
12-06-2023 01:08 AM - edited 12-06-2023 01:11 AM
I try to config command below but client still can connect to URL x.x.x.x without / tunnel name
group-policy NOACCESS internal group-policy NOACCESS attributes vpn-simultaneous-logins 0 vpn-tunnel-protocol IPSec webvpn
My solution is no need client to connect vpn without tunnel-group name
URL : https://x.x.x.x/group-1 ----> YES
URL: https://x.x.x.x -----> NO
Please help me for my concern.
12-06-2023 01:11 AM - edited 12-06-2023 01:34 AM
MHM
12-06-2023 01:19 AM
I don't understand for your advise . Please more explain me.
Now I try to configure
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
ASA-1(config-tunnel-webvpn)# show run all tunnel-group DefaultWEBVPNGroup
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy NOACCESS
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
username-from-certificate-choice second-certificate
secondary-username-from-certificate-choice second-certificate
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no external-browser enable
no radius-reject-message
no proxy-auth sdi
no pre-fill-username client
no pre-fill-username clientless
no secondary-pre-fill-username client
no secondary-pre-fill-username clientless
no saml-match-username-from-cert
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
12-06-2023 01:32 AM
@MHM Cisco World
I need to do client cannot connect URL: https://x.x.x.x no tunnel-group name It's mean no popup or cannot connect vpn
can i do this ?
12-06-2023 01:35 AM
I review your config now
MHM
12-06-2023 02:02 AM
tunnel-group DefaultWEBVPNGroup type remote-accesstunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy DfltGrpPolicy
!
tunnel-group telconw type remote-access
tunnel-group telconw general-attributes
default-group-policy telconw
!
tunnel-group telconw-2 type remote-access
tunnel-group telconw-2 general-attributes
default-group-policy telconw
!
tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy telconw
12-06-2023 02:09 AM
Above is four groups I see
Now issue I see in config
1- you use group list not group url
https://integratingit.wordpress.com/2022/03/23/asa-group-url-and-alias/
2- the first group defualtWEBVPN have no ip and no group name and it use defualt group policy' here we can add noaccess.
Note:-I think if we solve point one then no need to use tunnel group defualtWEBVPN anymore at all
MHM
12-06-2023 02:12 AM
@MHM Cisco World
I have group URL but i delete because may be see public IP for my LAB .
as your explain it's mean cannot delete or disable defualtWEBVPN or not ?
Because if client try to connect https://x.x.x.x it's always to connect because use defualtWEBVPN
12-06-2023 02:21 AM
It connect because there is tunnel group DefaultWEBVPNGroup (I dont see why you use it) which use group policy DfltGrpPolicy
So we need to change DfltGrpPolicy with noaccess (have login 0)
So he can not access.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide