Looks good but, I think you're better off with a "copy run start" instead of a "wr mem". The latter is/on it's way to being deprecated. I also believe that a "wr mem" used more processing power than a "copy run start" when it is ran. Perhaps someone can confirm this for me.
Thanks
Discussion on:
View:
Show:
Personally I prefer "wr" because it uses less of my own processing power. Four key strokes to be exact...
So we have AnyConnect setup and working great. Now we need to deploy the certificate to all our users. Does anyone know how we do this without any user involvement?
Pretty good article and there is so much more you can do with just the clientless web vpn. I would like to see an article on single sign on for the ASA webvpn.
Thanks,
Tony
Thanks,
Tony
There is an easy way to setup single sign on for the WebVPN. If you already have your ASA setup to authenticate against RADIUS or TACACS all you have to do is add the following line to your config...please keep in mind you must have an authentication server group setup.
tunnel-group SSLClient general-attributes
authentication-server-group RD_SRV_GRP LOCAL
default-group-policy SSLCLient
To setup an authentication server you can use a server like Cisco ACS or you can use IAS radius server from Microsoft. Below is a link how to setup an IAS server to authenticate cisco devices:
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
If this doesn't work you can just google
"use IAS to authenticate cisco devices"
I use MS IAS server and it works perfectly for us...
tunnel-group SSLClient general-attributes
authentication-server-group RD_SRV_GRP LOCAL
default-group-policy SSLCLient
To setup an authentication server you can use a server like Cisco ACS or you can use IAS radius server from Microsoft. Below is a link how to setup an IAS server to authenticate cisco devices:
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
If this doesn't work you can just google
"use IAS to authenticate cisco devices"
I use MS IAS server and it works perfectly for us...
Is there another article that describes how to configure remote access using the Cisco VPN Client?
Can anyone tell me if there is a cost involved in using the cisco web vpn client or the standard cisco vpn client with the ASA 5505 or 5510?
Thanks.
Thanks.
I believe the base license includes 2 SSL VPN peers. More than that will require an upgrade that you will have to pay for.
Lori
Lori
If you want to allow internet browsing for SSL VPN users WITHOUT split-tunneling turned on, you will have to enable traffic to pass in and then back out of the outside interface, and you will also need to apply a nat for the SSL VPN IP pool. Here's how:
1. Use the command "same-security-traffic permit intra-interface" to allow traffic to enter and exit an interface with the same security level.
2. Apply a nat for the IP pool that was configured for the SSL VPN users:
global (outside) 1 interface
nat (outside) 1 [ip_pool_address_range] [netmask]
That should do the trick. This process is known as hair-pinning.
Of course, please be careful when typing in these commands on a production ASA as your configuration may be different.
You should ALWAYS backup your configs before making any changes.
Alan Harrylal
1. Use the command "same-security-traffic permit intra-interface" to allow traffic to enter and exit an interface with the same security level.
2. Apply a nat for the IP pool that was configured for the SSL VPN users:
global (outside) 1 interface
nat (outside) 1 [ip_pool_address_range] [netmask]
That should do the trick. This process is known as hair-pinning.
Of course, please be careful when typing in these commands on a production ASA as your configuration may be different.
You should ALWAYS backup your configs before making any changes.
Alan Harrylal
If I read the docs right, if you have a pair of ASAs in fail over (like we do), the local CA issue is not allowed.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
