cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Remote Access VPN for 3rd Parties | IE support

ali007
Beginner
Beginner

HI,

 

we currently have a remote access VPN for our 3rd parties which is client less and perhaps due to missconfiguration it also installs client on their mahcine (whihc never gets used), here is the current cofnig:

 

"show vpn-sessiondb anyconnect " shows the following:

Protocol : IKEv2 IPsecOverNatT Clientless
License : AnyConnect Premium
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 Clientless: (1)AES-GCM-256
Hashing : IKEv2: (1)SHA1 IPsecOverNatT: (1)SHA1 Clientless: (1)SHA384
Bytes Tx : 1280101 Bytes Rx : 218580
Group Policy : abc1234 Tunnel Group : DefaultWEBVPNGroup

the group policy used shows the following:

show running-config group-policy DfltGrpPolicy
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

also, "show vpn-sessiondb webvpn" shows no client connected.

 

 

but since Cisco, doesnt support any other browser and IE is obsolete now, what are our best options? if move to a client based, how would we deliver the vpn profile? and what changes would we need to make to our configuration?

 

 

I look forward to hearing from you.

 

regards,

ali

 

5 REPLIES 5

Kasun Bandara
VIP Advocate VIP Advocate
VIP Advocate

check clientless SSL VPNs

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

balaji.bandi
VIP Guru VIP Guru
VIP Guru

what model of ASA  and what code running. (we generally use Any connect )

 

i do remember other browsers supported, have you tried any other browser, (most browsers latest one do not support legacy SSL/TLS, so you need to upgrade version of code also)

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@ali007 clientless VPN is depreciated from ASA 9.17, so your option is to utilise AnyConnect client.

Use SSL Client instead of IKEv2/IPSec then you do not need to provision an XML configuration profile, the contractors can just connect to the tunnel-group alias/url.

Thanks @Rob Ingram 

 

  • Do you have an example configuration  ssl client based vpn? 
  • Will it work with two factor for 3rd party contractors?

@ali007 Example of AnyConnect SSL-VPN

Of course it will work with a Two Factor provider, there are also probably configuration guides for the ASA and most Two Factor providers - check the providers website.