04-04-2011 08:31 AM
Hi Guys
,Is there a way that i can assocaite one user with two VPN profiles. Now here is the scenario.
Our company has bought a win 7 64 bit pc for some of the employees , so i had to create anyconnect. But the same users are also connecting via normal cisco vpn client. they will give away these old pc but for the time being my need is that both users shall connect to anyconnect profile and ipsec profile.
I tried ti to assign same profile with both ipsec and svc so that they could use single profile but anyconnect didn't work.
Please suggest. I am having cisco ASA 5510 as VPN gateway.
And How many licences does cisco asa have by defualt for anyconnect users
Here is the configuration for anyconnect
group-policy Broad_Anyconnet internal
group-policy Broad_Anyconnet attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL
address-pools value Broadcast_AnyPool
webvpn
svc ask none default svc
And here is the config for ipsec
group-policy Nit_Broadcast internal
group-policy Nit_Broadcast attributes
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL
If you guys see text in red this profile has ipsec and svc, but when use this with anyconnect then anyconnect doesn't work. So i had to cread a separate profile
Thnx in advance
Solved! Go to Solution.
04-04-2011 09:34 AM
In ASA, the VPN profiles is determined by "tunnel-group" and its associated attributes. In your case, if you want to specify the VPN profiles that a user need to use, you need define multiple "tunnel-group. Group-Policy is just a a configuration template being applied to tunnel-group. Common Group-Policy attribute being configured includes DHCP pool, VPN tunnel-protocol, split-tunnel etc. Group-Policy is meaning-less (except default-group-policy) without association to a tunnel-group.
Tks
Leon Lai
04-04-2011 09:40 AM
You should be able to use just one tunnel-group but define both ipsec-attribute and webvpn-attribute.
04-04-2011 09:14 AM
In "group-policy Nit_Broadcast attributes", can you add all those commands under "webvpn" which are used in your webvpn group policy?
"show version" should tell you how many ssl vpn license you have. I think the default is 2.
04-04-2011 09:34 AM
In ASA, the VPN profiles is determined by "tunnel-group" and its associated attributes. In your case, if you want to specify the VPN profiles that a user need to use, you need define multiple "tunnel-group. Group-Policy is just a a configuration template being applied to tunnel-group. Common Group-Policy attribute being configured includes DHCP pool, VPN tunnel-protocol, split-tunnel etc. Group-Policy is meaning-less (except default-group-policy) without association to a tunnel-group.
Tks
Leon Lai
04-04-2011 09:40 AM
You should be able to use just one tunnel-group but define both ipsec-attribute and webvpn-attribute.
04-05-2011 10:48 PM
tunnel-group Nit_Broadcast type remote-access
tunnel-group Nit_Broadcast general-attributes
address-pool Nit_Broadcast_Pool
default-group-policy Nit_Broadcast
Here is the tunnel_group for Nit_Broadcast!!!!!
04-06-2011 01:00 AM
Thnx guys , Issue solved .Its working. As you guys suggested added webvpn attributes and we are good to go
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide