Cisco Secure Desktop and Tunnel Group Profiles

Unanswered Question
Jun 3rd, 2009
User Badges:

Okay Guys, I have a question. I am configuring remote vpn on an ASA 5540. Here is what I want to do but I am not sure if this is possible.

I want to set it up to where when a user goes to they are prompted to select a GROUP and then logon. (Corporate users or Contract users) I have this part working. The problem comes in when I enable Cisco Secure Desktop. I only want my "Contract Users" to load CSD. The problem is when going to it immediately starts to load CSD forcing all users to use CSD. My problem is I DO NOT want my corporate users being forced into CSD so I was hoping that you could FIRST select the profile and then CSD would load only if you are a "Contract User". I am aware of "without-csd" command for the Corporate Tunnel-group "" webvpn attributes, but it still loads CSD before allowing you to select a profile. Hope my scenario is making sense.

Here is my config:

CCCASA-5540# sho run webvpn


enable outside

csd image disk0:/

csd enable

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

tunnel-group-list enable

CCCASA-5540# sho run tunn

CCCASA-5540# sho run tunnel-group

tunnel-group Corporate type remote-access

tunnel-group Corporate general-attributes

address-pool SSL_VPN_Pool

authentication-server-group SSL_VPN

default-group-policy Corporate

tunnel-group Corporate webvpn-attributes

group-alias Corporate enable


/Corporate enable


tunnel-group Consultant type remote-access

tunnel-group Consultant general-attributes

address-pool SSL_VPN_Pool

authentication-server-group SSL_VPN

default-group-policy Consultant

tunnel-group Consultant webvpn-attributes

group-alias Consultant enable

group-url enable

CCCASA-5540# sho run group-po

group-policy Corporate internal

group-policy Corporate attributes

dns-server value 10.x.x.x

vpn-tunnel-protocol svc

group-policy Consultant internal

group-policy Consultant attributes

vpn-tunnel-protocol svc

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Tue, 06/09/2009 - 07:48
User Badges:

You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that uses that customization profile, as the following URL:


This Discussion