Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4776
Views
6
Helpful
3
Replies

SSL VPN - Bypass DefaultWEBVPNGroup

Go to solution
aeryilmaz
Level 1
Level 1

‎10-29-2012 09:21 AM

Hi All,

I'm using the default tunnel-group and group-policy for my general user community. I want to apply a filter for that group, and have a special use case for another group that bypasses the filter. My goal: for people hitting the "RAS_Engineering" group policy, I want to bypass the filter applied to "DfltGrpPolicy"

Is there a way for me to configure the group-policy so that it doesn't pick up the default settings? Here's what I have (some output omitted to reduce lines):

#  sh vpn-session detail svc filter name amy.eryilmaz

Session Type: SVC Detailed

Username     : amy.eryilmaz           Index        : 13568

Assigned IP  : my.vpn.assigned.ip          Public IP    : my.pub.lic.ip

....

Group Policy : RAS_Engineering        Tunnel Group : DefaultWEBVPNGroup

...

Clientless Tunnels: 1

SSL-Tunnel Tunnels: 1

Clientless:

  Tunnel ID    : 13568.1

  Public IP    : my.pub.lic.ip

  ...

  Auth Mode    : userPassword

  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes

  Client Type  : Web Browser

  Client Ver   : AnyConnect Windows 2.5.3046

  Bytes Tx     : 11456                  Bytes Rx     : 3986

SSL-Tunnel:

  Tunnel ID    : 13568.2

  Assigned IP  : my.vpn.assigned.ip          Public IP    : my.pub.lic.ip

  ....

  Client Type  : SSL VPN Client

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 2.5.3046

....

  Filter Name  : default-vpn-filter

-----------------------------------------------------------

group-policy DfltGrpPolicy attributes

wins-server value xx.xx.xx.xx

dns-server value xx.xx.xx.xx

dhcp-network-scope xx.xx.xx.xx

vpn-filter value default-vpn-filter

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value mydomain.com

webvpn

  svc ask none default svc

group-policy RAS_Engineering internal

group-policy RAS_Engineering attributes

wins-server value xx.xx.xx.xx

dns-server value xx.xx.xx.xx

dhcp-network-scope xx.xx.xx.xx

vpn-tunnel-protocol l2tp-ipsec svc

webvpn

  svc ask none default svc

-----------------------------------------------------------------

# sh run all tunnel-group DefaultWEBVPNGroup

tunnel-group DefaultWEBVPNGroup type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

no address-pool

no ipv6-address-pool

authentication-server-group my_radius

secondary-authentication-server-group none

no accounting-server-group

default-group-policy DfltGrpPolicy

dhcp-server xx.xx.xx.xx

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

username-from-certificate CN OU

secondary-username-from-certificate CN OU

authentication-attr-from-server primary

authenticated-session-username primary

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization myCustom

authentication aaa

no override-svc-download

no radius-reject-message

no proxy-auth sdi

no pre-fill-username ssl-client

no pre-fill-username clientless

no secondary-pre-fill-username ssl-client

no secondary-pre-fill-username clientless

dns-group DefaultDNS

no without-csd

tunnel-group DefaultWEBVPNGroup ipsec-attributes

no pre-shared-key

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication xauth

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-29-2012 09:46 AM

Hi,

By default you will inherit any implicit values from the default group policy.

To stop inheriting the "vpn-filter" please do:

group-policy RAS_Engineering attributes

     vpn-filter none

The same applies for any other feature within the group-policy, make sure you explicitly define every parameter according to the specific requirements.

Thanks.

Portu.

Please rate any helpful posts.

View solution in original post

3 Replies 3

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-29-2012 09:46 AM

Hi,

By default you will inherit any implicit values from the default group policy.

To stop inheriting the "vpn-filter" please do:

group-policy RAS_Engineering attributes

     vpn-filter none

The same applies for any other feature within the group-policy, make sure you explicitly define every parameter according to the specific requirements.

Thanks.

Portu.

Please rate any helpful posts.

Go to solution
aeryilmaz
Level 1
Level 1
In response to Javier Portuguez

‎10-29-2012 09:51 AM

That's it - working now!

Much appreciated!

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to aeryilmaz

‎10-29-2012 09:57 AM

You are welcome!

Further information:

Configuring Tunnel Groups, Group Policies, and Users

I hope you have a nice day!

Portu.

Customers Also Viewed These Support Documents