Solved: SSL-VPN portal

mautez_mah · ‎03-23-2022

Dears
I am using SSL-VPN connect to ASA FW , with cisco anyconnect
as per attachment I am using this URL ZPLMN.......
1- where this URL should be configure ,
2- When I try to access this URL to reach portal so I can Download Cisco VPN it is not working
3- how can I configure proper Portal for user to download VPN

Rob Ingram · ‎03-23-2022

@mautez_mah You don't necessarily need a dedicated Group Policy, you could inherit from the default group policy, you just need to ensure both ssl-client and ssl-clientless is enabled.

View solution in original post

Rob Ingram · ‎03-23-2022

@mautez_mah you've not provided an attachment. If you have a URL this needs to be resolveable in DNS.

Do you just want to use the Web GUI to download the anyconnect client?

mautez_mah · ‎03-23-2022

@Rob Ingram
I have attached Screen0shot
yes I need to know where we configure , how fix existing issue as portal is not working

Rob Ingram · ‎03-23-2022

@mautez_mah

You need to configure the portal tunnel-group as below with a group-url. This tunnel-group references a group-policy which is configured for both ssl-client and ssl-clientless. With ssl-client defined as allowed vpn protocol, the user will have the option to download the client upon connection to the tunnel-group via the Web GUI.

group-policy Sales-GP internal
group-policy Sales-GP attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
!tunnel-group Sales-WebVPN type remote-access
tunnel-group Sales-WebVPN general-attributes
 default-group-policy Sales-GP
tunnel-group Sales-WebVPN webvpn-attributes
 group-url https://sales.lab.local enable

mautez_mah · ‎03-23-2022

@Rob Ingram
Thanks , could you please guide me how can I find it thru ASDM
and when I add this ( TAM.net ) will all users outside can I access this portal and download Image

Rob Ingram · ‎03-23-2022

@mautez_mah You don't necessarily need a dedicated Group Policy, you could inherit from the default group policy, you just need to ensure both ssl-client and ssl-clientless is enabled.

mautez_mah · ‎03-23-2022

many thanks
but it seems this option is added in FW as it is context FW , right ?

Rob Ingram · ‎03-23-2022

@mautez_mah you need to ensure both ssl-client and ssl-clientless is enabled under the group policy. So double check TAMAM_ADMIN_POLICY (as per my screenshot above).

mautez_mah · ‎03-23-2022

many thanks

[OK] group-policy GroupPolicy1-test2 attributes
group-policy GroupPolicy1-test2 attributes
[OK] vpn-filter value sfr-redirect
[ERROR] vpn-tunnel-protocol ssl-clientless ssl-client

vpn-tunnel-protocol ssl-clientless ssl-client
^
ERROR: % Invalid input detected at '^' marker.

[OK] exit
I got this error so it seems FW is not supported ssl-clientless

Rob Ingram · ‎03-23-2022

@mautez_mah Clientless VPN is supported up to ASA version 9.17, from this version it has been depreciated. So if you are running an older version of ASA software it will work.