cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
753
Views
0
Helpful
3
Replies

Anyconnect (2.5.0217) to ASA5550 (8.3(2)) ignoring tunnel groups.

nmfoxton
Level 1
Level 1

Hi,

Not been on here for a long time, and I've got a bit of a sticky problem with some new kit I'm going to be using for a remote access services.

Now we are going to be using the good old ipsec vpn client for a while yet and everything works swimmingly with that.

But we're also going to use W7 soon and that means switching to the Anyconnect client.

We have several tunnel and user groups which have different rules for connecting.

Three of the groups have specific ip address pools for security reasons.

Everyone else just relies on dhcp from the inside network subnet.

These work a treat with our old friend the ipsec client.

However I've configured the Anyconnect client with specific profiles so they only connect to their specified goups..... but it doesn't want to work.

Everytime you connect you end up in the  DefaultWEBVPNGroup and we get addressing from the dhcp subnet instead of the pool setup for the group-xxxx which the anyconnect profile spcifies.

I've tried all sorts, but coming up blank, it's the most annoying problem with these boxes.

Anyone got any ideas?

3 Replies 3

Todd Pula
Level 7
Level 7

If you have multiple AnyConnect tunnel groups defined, you have two options for group selection.  You can configure an Alias and enable a drop down menu where the clients can choose the tunnel group they want to connect to.  The second option is to configure a group URL which include the tunnel group in the URL path.  For example, you could have it setup such as vpn.vpn.com/anyconnect 1, vpn.vpn.com/anyconnect2, etc.

As an aside, the latest 5.0.07 IPSec client supports both 32-bit and 64-bit Windows 7 machines.  Let me know if you have any specific questions about the above options.

Thanks for the reply, excellent.

Unfortunately option 1 is out of the question, we need to control users completely when accessing and obviously we wouldn't want anyone trying to connect as a tech or vip. Now option 2 interests me, but like all things in life and business I have seen the options for creating the urls, but have no idea how to set them up or make them work? Training always comes along after we need to install and run equipment and all the reading I've done doesn't explain it very well or I am obviously getting confused by it.

I would like to stay with our old friendly ipsec client but our Microsoft chaps persist in wanting SBL to allow for the pc's registration and rights issues on the domain.

Any advice and/or guidance would be most appreciated

Group URLs are pretty easy to configure.  Via ASDM, you will go to Configuration->Remote Access VPN->Network (Client) Access->AnyConnect Connection Profiles.  Edit one of the AnyConnect connection profiles and then go to Advanced->SSL VPN.  The bottom pane will be used to configure a group URL.  Click on Add and enter a URL.  For example, https://vpn.vpn.com/employee.  Apply the configuration to your ASA.  To test access, you will enter the Group URL into your browser.  Alternatively, you can enter the URL minus the https:// into the connect to field of the pre-installed AnyConnect client.  This can be further automated through an AnyConnect XML profile.

To your second point regarding security, there are numerous ways that we can achieve this.  Option 1 is still valid provided that you utilize a group lock in the corresponding group policy.  You can also look into Dynamic Access Policies (DAP) for more granular control.

Todd

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: