cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1489
Views
5
Helpful
9
Replies

Three formats for group-url

I just read the the title "ASA 8.0 SSLVPN (WebVPN): Advanced Portal Customization" and confuse about three format of group-url in the following link;

--------------------------------------------------------------------------------------------------------------------------------------

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abcb.shtml

Figure 3: Configure Group-URLs for the Connection Profile
Note: In this example, the group-url is configured in three different formats. The user can enter any one of them in order to connect to the ASA through the sslclient connection profile.
--------------------------------------------------------------------------------------------------------------------------------------
Please give more explain about three different formats of group-url.

9 Replies 9

Three formats of group URL strings are supported from the above link:

1. https://asa.cisco.com/sslclient

2. https//sslclient.asa.cisco.com

3. https//171.69.37.70/sslclient

Hi Pipatpong,

actually the group-url can be of the following form:

https://

https:///

https://

https:///

When using FQDN, it can be any name which DNS resolves to the IP address of the ASA interface on which webvpn is enabled.

Does this answer your question?

hth

Herbert

Hi Herbert,

I want to create two WebVPN service groups to DepartmentA and DepartmentB with ASA version 8.0(2) by using group-url because the advantage of using group-url over group-alias (group drop-down) is that group-url do not expose the group names as the latter method does.

I can successfully deploy the group-url in format of https:/// and https:/// for my two WebVPN service groups. However, I can't use group-url in format of https:// to provide WebVPN service. I already modify Microsoft Windows "host file" to mapping FQDN of the ASA to IP address of the ASA interface on which webvpn is enabled.

My WebVPN configuration is

webvpn
enable outside
!
Group DepartmentA
group-policy DepartmentA internal
group-policy DepartmentA attributes
vpn-tunnel-protocol webvpn
  url-entry enable
!
username UserA password CISCO123
username UserA attribute
service-type remote-access
!
tunnel-group DepartmentA type remote-access
tunnel-group DepartmentA general-attributes
default-group-policy DepartmentA
authentication-server-group LOCAL
!
tunnel-group DepartmentA webvpn-attributes
authentication aaa
!
Group DepartmentB
group-policy DepartmentB internal
group-policy DepartmentB attributes
vpn-tunnel-protocol webvpn
  url-entry enable
!
username UserB password CISCO123
username UserB attribute
service-type remote-access
!
tunnel-group DepartmentB type remote-access
tunnel-group DepartmentB general-attributes
default-group-policy DepartmentB
authentication-server-group LOCAL
!
tunnel-group DepartmentB webvpn-attributes
authentication aaa
!

My Microsoft Windows host file is

  departmenta.company.com

  departmentb.company.com

The IP address is the same for "departmenta.company.com" and "departmentb.company.com.

When I enters the https://departmenta.company.com or https://departmentb.company.com group-url into a browser in order to connect to the ASA, I can't connect to the appropriate tunnel-group and fall back to tunnel-group DefaultWEBVPNGroup. Please guide me how to fix this issue.

Regards,

Pipatpong

Thanks for clarifying. I tried this in the lab today, but it worked fine for both URLs.

When you have only one group-url in your config, does that one work?

How do you determine whether you land on the right tunnel group?

What does "show vpn-sessiondb webvpn" show?

Herbert

Hi Herbert,

Yes, I use "show vpn-sessiondb webvpn" to determine whether my WebVPN session land on the right tunnel group and group-policy. What is the ASA version you are using in your lab? Do you modify Microsoft Windows "host file" to mapping FQDN of the ASA to IP address of the ASA interface on which webvpn is enabled.

Windows host file is

  departmenta.company.com

  departmentb.company.com

I'm not testing for only one group-url in my configure yet. I will update for my test result to you soon. Thanks you so much for your update.

Thanks and Regards,

Pipatpong

Yes I defined the same 2 names in my windows hosts file. I was testing with 8.3(2) and just tried 8.0(5) as well, which works fine.

8.0(2) is quite old so you may want to try 8.0(5).

hth

Herbert

Did some more digging - you are probably hitting this bug:


CSCsj20475    WebVPN: Group-URL fails without a /

This is fixed in 8.0(3) and later. To test you could try adding a / to the group-url, i.e.

group-url https://departmentA.company.com/ enable

But even if that works, I still highly recommend going to 8.0(5).

cheers

Herbert

Hi Herbert,

I just upgrade my ASA from 8.0(2) to 8.0(5) and it works fine for group-url. Thank you so much for your great support and excellent update.

Thanks and Regards,

Pipatpong

Oh, I just use ASA8.0(2),  I spend  whole days to trying to fix it up,Thank you very much for your answer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: