06-03-2009 09:36 AM - edited 03-09-2019 10:20 PM
Okay Guys, I have a question. I am configuring remote vpn on an ASA 5540. Here is what I want to do but I am not sure if this is possible.
I want to set it up to where when a user goes to https://vpn.website.com they are prompted to select a GROUP and then logon. (Corporate users or Contract users) I have this part working. The problem comes in when I enable Cisco Secure Desktop. I only want my "Contract Users" to load CSD. The problem is when going to https://sslvpn.website.com it immediately starts to load CSD forcing all users to use CSD. My problem is I DO NOT want my corporate users being forced into CSD so I was hoping that you could FIRST select the profile and then CSD would load only if you are a "Contract User". I am aware of "without-csd" command for the Corporate Tunnel-group "" webvpn attributes, but it still loads CSD before allowing you to select a profile. Hope my scenario is making sense.
Here is my config:
CCCASA-5540# sho run webvpn
webvpn
enable outside
csd image disk0:/securedesktop_asa_3_3_0_129.pkg.zip
csd enable
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
tunnel-group-list enable
CCCASA-5540# sho run tunn
CCCASA-5540# sho run tunnel-group
tunnel-group Corporate type remote-access
tunnel-group Corporate general-attributes
address-pool SSL_VPN_Pool
authentication-server-group SSL_VPN
default-group-policy Corporate
tunnel-group Corporate webvpn-attributes
group-alias Corporate enable
group-url https://0.0.0.0
/Corporate enable
without-csd
tunnel-group Consultant type remote-access
tunnel-group Consultant general-attributes
address-pool SSL_VPN_Pool
authentication-server-group SSL_VPN
default-group-policy Consultant
tunnel-group Consultant webvpn-attributes
group-alias Consultant enable
group-url https://0.0.0.0/Consultant enable
CCCASA-5540# sho run group-po
group-policy Corporate internal
group-policy Corporate attributes
dns-server value 10.x.x.x
vpn-tunnel-protocol svc
group-policy Consultant internal
group-policy Consultant attributes
vpn-tunnel-protocol svc
06-09-2009 07:48 AM
You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that uses that customization profile, as the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1117540
06-10-2009 08:18 AM
In 8.2.1, you can disable CSD on a per tunnel-group basis when using group URLs as opposed to aliasing. If you intend to have users choose their respective connection profile using the alias drop down menu, then CSD will execute for all users.
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp229690
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide