Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6974
Views
0
Helpful
7
Replies

ASA 9.1 Trouble with tunnel-group-list enable

Go to solution
ciscotac16
Level 1
Level 1

‎07-17-2014 07:31 PM

Hello!  

I'm trying to get a configuration working where Cisco VPN / DTLS phones can VPN connect, while still allowing remote access via AnyConnect clients to PCs.  I have two tunnel-groups and group-policies configured for this purpose, and am using group-urls.  

Phones are connecting fine, but I do not get the pull-down menu to choose between the two tunnel-groups when connecting from a remote computer.  

Below is an excerpt from the config.  

By the way, I did have the menu working previously when I was using group aliases instead of group-urls.  However, the phones seem to require the group-urls.  Now that I have those configured, the menu doesn't work.  If I enter the complete URL in the AnyConnect window, both of the URLs work, and I can log in.

Thank you in advance for any suggestions you might have!

Deb

webvpn

 enable OUTSIDE

 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

 anyconnect enable

 tunnel-group-list enable 

 

group-policy ABC internal

group-policy ABC attributes

 wins-server value 10.10.16.17 10.10.16.12

 dns-server value 10.10.16.17 10.10.16.12

 vpn-simultaneous-logins 3

 vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless

 split-tunnel-policy tunnelall

 default-domain value abc.com

 address-pools value AnyConnectPool

 webvpn

  anyconnect ssl dtls enable

  anyconnect keep-installer installed

  anyconnect ssl rekey time 1440

  anyconnect ssl rekey method ssl

  anyconnect dpd-interval client 5

  anyconnect dpd-interval gateway 30

  anyconnect ask none

 

group-policy ABC-STG internal

group-policy ABC-STG attributes

 dns-server value 8.8.8.8

 vpn-simultaneous-logins 3

 vpn-tunnel-protocol l2tp-ipsec ssl-client  ssl-clientless

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split-Tunnel-Encrypt-ACL

 default-domain value abc.com

 address-pools value AnyConnectPool

 webvpn

  anyconnect ssl dtls enable

  anyconnect keep-installer installed

  anyconnect ssl rekey time 1440

  anyconnect ssl rekey method ssl

  anyconnect dpd-interval client 5

  anyconnect dpd-interval gateway 30

  anyconnect ask none

 

tunnel-group Split-Tunnel-Group type remote-access

tunnel-group Split-Tunnel-Group general-attributes

 address-pool AnyConnectPool

 default-group-policy ABC-STG

tunnel-group Split-Tunnel-Group webvpn-attributes

 group-url https://asa.abc.com/ABC-STG enable

 

tunnel-group ABC-Tunnel-Group type remote-access

tunnel-group ABC-Tunnel-Group general-attributes

 address-pool AnyConnectPool

 authentication-server-group ACTIVE-DIRECTORY

 default-group-policy ABC

 password-management

tunnel-group ABC-Tunnel-Group webvpn-attributes

 group-url https://asa.abc.com/ABC enable

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-18-2014 12:12 AM

Hi ,

You can have group-alias and group-url simultaneously  in the configuration so that phones can connnect with group-url and users can click on drop down menu to select the right connection profile.

tunnel-group <tunnel-group-name> webvpn-attributes
group-alias <tunnel-group-alias> enable
group-url <url> enable

 

Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-18-2014 12:12 AM

Hi ,

You can have group-alias and group-url simultaneously  in the configuration so that phones can connnect with group-url and users can click on drop down menu to select the right connection profile.

tunnel-group <tunnel-group-name> webvpn-attributes
group-alias <tunnel-group-alias> enable
group-url <url> enable

 

Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
ciscotac16
Level 1
Level 1
In response to Dinesh Moudgil

‎07-18-2014 11:39 AM

Hi, Dinesh.

Thanks for your reply.  

I did previously try the configuration that you suggest, but it did not work either.  I had the menu working, but as soon as I added the URL for the phones, the menu wouldn't display.  

I will go back and reconfigure it and try again just in case I fat-fingered something before.  I'll post the results here.

Regards,

Deb

0 Helpful

Go to solution
ciscotac16
Level 1
Level 1
In response to Dinesh Moudgil

‎07-18-2014 12:16 PM

OK!  So, maybe I did fat-finger something yesterday....or maybe the ASA just needed to sleep on it.... :^)

At any rate, the menu is working again now, *and* the phones can still connect.  

I must have had this same config in there at least 3 times while I was working on it yesterday (tried all sorts of things)....< Sigh >  

Thanks again,

Deb

 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to ciscotac16

‎07-18-2014 12:17 PM

Hi Deb,

 

I am glad it is working.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to Dinesh Moudgil

‎08-21-2014 02:14 AM

Hi Dinesh,

I want to disable group-alias (or disable tunnel-group-list) for webvpn (clientless) users but enable for AnyConnect Client users. I disabled tunnel-group-list under webvpn (global) but this disables for both clientless as well as AnyConnect client VPN.

We dont want to show all the available groups for webvpn users who access via https.

Is there a way we can disable group-alias only for webvpn (clientless) users..?

thanks...

 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to pemasirid

‎08-21-2014 05:21 AM

Hi

This setting gets applied to all the SSL users . whether client based or clientless VPN.
You can either disable the webvpn page (using keepout command) for all the users or completely disable the group-alias.

HTH

Regards,
Dinesh Moudgil

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to Dinesh Moudgil

‎08-23-2014 11:08 PM

Hi Dinesh,


Thanks for your reply. Actually we dont want to completely disable group-alias and we need ONLY to disable for webvpn (SSL) users and keep it for AnyConnect users.

We dont want to show all the available groups for webvpn users who access via https and it should able to show only SSL (clientless) vpn group when they access via https and show all available AnyConnect groups list for AnyConnect users (using IPsec) who access via AnyConnect clients.

 

Appreciate if you can let us know whether this is possible with SSL vpn.

Thanks and regards,

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents