Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
5
Replies

Remote Access VPN for 3rd Parties | IE support

ali007
Level 1
Level 1

‎06-01-2022 07:55 AM

HI,

 

we currently have a remote access VPN for our 3rd parties which is client less and perhaps due to missconfiguration it also installs client on their mahcine (whihc never gets used), here is the current cofnig:

 

"show vpn-sessiondb anyconnect " shows the following:

Protocol : IKEv2 IPsecOverNatT Clientless
License : AnyConnect Premium
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 Clientless: (1)AES-GCM-256
Hashing : IKEv2: (1)SHA1 IPsecOverNatT: (1)SHA1 Clientless: (1)SHA384
Bytes Tx : 1280101 Bytes Rx : 218580
Group Policy : abc1234 Tunnel Group : DefaultWEBVPNGroup

the group policy used shows the following:

show running-config group-policy DfltGrpPolicy
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

also, "show vpn-sessiondb webvpn" shows no client connected.

 

 

but since Cisco, doesnt support any other browser and IE is obsolete now, what are our best options? if move to a client based, how would we deliver the vpn profile? and what changes would we need to make to our configuration?

 

 

I look forward to hearing from you.

 

regards,

ali

 

0 Helpful
5 Replies 5

Kasun Bandara
VIP
VIP

‎06-01-2022 08:19 AM

check clientless SSL VPNs

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎06-01-2022 08:21 AM

what model of ASA  and what code running. (we generally use Any connect )

 

i do remember other browsers supported, have you tried any other browser, (most browsers latest one do not support legacy SSL/TLS, so you need to upgrade version of code also)

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎06-01-2022 08:30 AM

@ali007 clientless VPN is depreciated from ASA 9.17, so your option is to utilise AnyConnect client.

Use SSL Client instead of IKEv2/IPSec then you do not need to provision an XML configuration profile, the contractors can just connect to the tunnel-group alias/url.

0 Helpful

ali007
Level 1
Level 1
In response to Rob Ingram

‎06-03-2022 01:45 AM

Thanks @Rob Ingram 

 

  • Do you have an example configuration  ssl client based vpn? 
  • Will it work with two factor for 3rd party contractors?
0 Helpful

Rob Ingram
VIP
VIP
In response to ali007

‎06-03-2022 01:49 AM

@ali007 Example of AnyConnect SSL-VPN

Of course it will work with a Two Factor provider, there are also probably configuration guides for the ASA and most Two Factor providers - check the providers website.

 

0 Helpful
Customers Also Viewed These Support Documents