Solved: Re: One User associated with two VPN profiles

thundercisco · ‎04-04-2011

Hi Guys

,Is there a way that i can assocaite one user with two VPN profiles. Now here is the scenario.

Our company has bought a win 7 64 bit pc for some of the employees , so i had to create anyconnect. But the same users are also connecting via normal cisco vpn client. they will give away these old pc but for the time being my need is that both users shall connect to anyconnect profile and ipsec profile.

I tried ti to assign same profile with both ipsec and svc so that they could use single profile but anyconnect didn't work.

Please suggest. I am having cisco ASA 5510 as VPN gateway.

And How many licences does cisco asa have by defualt for anyconnect users

Here is the configuration for anyconnect

group-policy Broad_Anyconnet internal
group-policy Broad_Anyconnet attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL
address-pools value Broadcast_AnyPool
webvpn
svc ask none default svc

And here is the config for ipsec

group-policy Nit_Broadcast internal

group-policy Nit_Broadcast attributes

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL

If you guys see text in red this profile has ipsec and svc, but when use this with anyconnect then anyconnect doesn't work. So i had to cread a separate profile

Thnx in advance

leon.mflai · ‎04-04-2011

In ASA, the VPN profiles is determined by "tunnel-group" and its associated attributes. In your case, if you want to specify the VPN profiles that a user need to use, you need define multiple "tunnel-group. Group-Policy is just a a configuration template being applied to tunnel-group. Common Group-Policy attribute being configured includes DHCP pool, VPN tunnel-protocol, split-tunnel etc. Group-Policy is meaning-less (except default-group-policy) without association to a tunnel-group.

Tks

Leon Lai

View solution in original post

Yudong Wu · ‎04-04-2011

You should be able to use just one tunnel-group but define both ipsec-attribute and webvpn-attribute.

View solution in original post

Yudong Wu · ‎04-04-2011

In "group-policy Nit_Broadcast attributes", can you add all those commands under "webvpn" which are used in your webvpn group policy?

"show version" should tell you how many ssl vpn license you have. I think the default is 2.

leon.mflai · ‎04-04-2011

In ASA, the VPN profiles is determined by "tunnel-group" and its associated attributes. In your case, if you want to specify the VPN profiles that a user need to use, you need define multiple "tunnel-group. Group-Policy is just a a configuration template being applied to tunnel-group. Common Group-Policy attribute being configured includes DHCP pool, VPN tunnel-protocol, split-tunnel etc. Group-Policy is meaning-less (except default-group-policy) without association to a tunnel-group.

Tks

Leon Lai

Yudong Wu · ‎04-04-2011

You should be able to use just one tunnel-group but define both ipsec-attribute and webvpn-attribute.

thundercisco · ‎04-05-2011

tunnel-group Nit_Broadcast type remote-access
tunnel-group Nit_Broadcast general-attributes
address-pool Nit_Broadcast_Pool
default-group-policy Nit_Broadcast

Here is the tunnel_group for Nit_Broadcast!!!!!

thundercisco · ‎04-06-2011

Thnx guys , Issue solved .Its working. As you guys suggested added webvpn attributes and we are good to go