07-17-2014 07:31 PM
Hello!
I'm trying to get a configuration working where Cisco VPN / DTLS phones can VPN connect, while still allowing remote access via AnyConnect clients to PCs. I have two tunnel-groups and group-policies configured for this purpose, and am using group-urls.
Phones are connecting fine, but I do not get the pull-down menu to choose between the two tunnel-groups when connecting from a remote computer.
Below is an excerpt from the config.
By the way, I did have the menu working previously when I was using group aliases instead of group-urls. However, the phones seem to require the group-urls. Now that I have those configured, the menu doesn't work. If I enter the complete URL in the AnyConnect window, both of the URLs work, and I can log in.
Thank you in advance for any suggestions you might have!
Deb
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy ABC internal
group-policy ABC attributes
wins-server value 10.10.16.17 10.10.16.12
dns-server value 10.10.16.17 10.10.16.12
vpn-simultaneous-logins 3
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value abc.com
address-pools value AnyConnectPool
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl rekey time 1440
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 30
anyconnect ask none
group-policy ABC-STG internal
group-policy ABC-STG attributes
dns-server value 8.8.8.8
vpn-simultaneous-logins 3
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-Encrypt-ACL
default-domain value abc.com
address-pools value AnyConnectPool
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl rekey time 1440
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 30
anyconnect ask none
tunnel-group Split-Tunnel-Group type remote-access
tunnel-group Split-Tunnel-Group general-attributes
address-pool AnyConnectPool
default-group-policy ABC-STG
tunnel-group Split-Tunnel-Group webvpn-attributes
group-url https://asa.abc.com/ABC-STG enable
tunnel-group ABC-Tunnel-Group type remote-access
tunnel-group ABC-Tunnel-Group general-attributes
address-pool AnyConnectPool
authentication-server-group ACTIVE-DIRECTORY
default-group-policy ABC
password-management
tunnel-group ABC-Tunnel-Group webvpn-attributes
group-url https://asa.abc.com/ABC enable
Solved! Go to Solution.
07-18-2014 12:12 AM
Hi ,
You can have group-alias and group-url simultaneously in the configuration so that phones can connnect with group-url and users can click on drop down menu to select the right connection profile.
tunnel-group <tunnel-group-name> webvpn-attributes
group-alias <tunnel-group-alias> enable
group-url <url> enable
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-18-2014 12:12 AM
Hi ,
You can have group-alias and group-url simultaneously in the configuration so that phones can connnect with group-url and users can click on drop down menu to select the right connection profile.
tunnel-group <tunnel-group-name> webvpn-attributes
group-alias <tunnel-group-alias> enable
group-url <url> enable
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-18-2014 11:39 AM
Hi, Dinesh.
Thanks for your reply.
I did previously try the configuration that you suggest, but it did not work either. I had the menu working, but as soon as I added the URL for the phones, the menu wouldn't display.
I will go back and reconfigure it and try again just in case I fat-fingered something before. I'll post the results here.
Regards,
Deb
07-18-2014 12:16 PM
OK! So, maybe I did fat-finger something yesterday....or maybe the ASA just needed to sleep on it.... :^)
At any rate, the menu is working again now, *and* the phones can still connect.
I must have had this same config in there at least 3 times while I was working on it yesterday (tried all sorts of things)....< Sigh >
Thanks again,
Deb
07-18-2014 12:17 PM
Hi Deb,
I am glad it is working.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
08-21-2014 02:14 AM
Hi Dinesh,
I want to disable group-alias (or disable tunnel-group-list) for webvpn (clientless) users but enable for AnyConnect Client users. I disabled tunnel-group-list under webvpn (global) but this disables for both clientless as well as AnyConnect client VPN.
We dont want to show all the available groups for webvpn users who access via https.
Is there a way we can disable group-alias only for webvpn (clientless) users..?
thanks...
08-21-2014 05:21 AM
Hi
This setting gets applied to all the SSL users . whether client based or clientless VPN.
You can either disable the webvpn page (using keepout command) for all the users or completely disable the group-alias.
HTH
Regards,
Dinesh Moudgil
08-23-2014 11:08 PM
Hi Dinesh,
Thanks for your reply. Actually we dont want to completely disable group-alias and we need ONLY to disable for webvpn (SSL) users and keep it for AnyConnect users.
We dont want to show all the available groups for webvpn users who access via https and it should able to show only SSL (clientless) vpn group when they access via https and show all available AnyConnect groups list for AnyConnect users (using IPsec) who access via AnyConnect clients.
Appreciate if you can let us know whether this is possible with SSL vpn.
Thanks and regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide