Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5372
Views
15
Helpful
1
Replies

How to Know What Tunnel Group is being Used

Go to solution
Hawk
Level 1
Level 1

‎07-16-2018 12:24 PM - edited ‎03-12-2019 05:28 AM

In my companies data center we have an ASA 5525-X running Version 9.6(4)3.  This ASA is only being used for VPN both L2L & Anyconnect remote client.  I understand how Tunnel Groups & Group Policies work but I'm not certain how to know which Tunnel Group a specific Anyconnect user would be using when they connect.  99% of our Anyconnect users have a specific profile that their clients use but we have an outside contractor that is assigned a different profile that wasn't labeled something obvious like "Contractor-Profile".  There are also dozens of anyconnect profiles, tunnel groups & group polices configured on the ASA so there are a lot of possible choices. 

 

Here is what I have confirmed below & I am wondering if this anyconnect user is actually even using a tunnel group at all.  I assume he is because my studies indicate that all types of VPNs use tunnel groups. Here is the config. Like I said there are no tunnel groups labeled with an obvious tell tale name that I could use to identify it with this user so I did not include any tunnel groups.  I also have access to the ASA via ASDM

---------------------------------------------------------------------------------------

 

username bob1 password SeIxgEsd2ZRXHSL3 encrypted
username bob1 attributes
 vpn-group-policy DenyAllPolicy
 vpn-filter value Contractor_VoIP_Vendor
 service-type remote-access
 
 
group-policy DenyAllPolicy internal
group-policy DenyAllPolicy attributes
 vpn-filter value DenyAll
 vpn-tunnel-protocol ikev1 ssl-client
 
 
access-list Contractor_VoIP_Vendor extended permit ip any4 object-group VoIP_Hosts

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-16-2018 04:44 PM

If you don't specify anything, the ASA uses DefaultWebvpnGroup for AnyConnect connections. You can have users fall into other tunnel-groups using the following methods:

 

1) Use group-alias and select the "Allow user to select connection profile" option.

2) Create a Tunnel-group-url that directly puts the user into the defined tunnel-group

3) Use certificate to tunnel-group mapping along with certificate authentication to automatically move users to tunnel-group based on certificate matching rules.

 

You can verify which tunnel-groups users are falling into using the "show vpn-sessiondb anyconnect" command on the CLI.

View solution in original post

1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-16-2018 04:44 PM

If you don't specify anything, the ASA uses DefaultWebvpnGroup for AnyConnect connections. You can have users fall into other tunnel-groups using the following methods:

 

1) Use group-alias and select the "Allow user to select connection profile" option.

2) Create a Tunnel-group-url that directly puts the user into the defined tunnel-group

3) Use certificate to tunnel-group mapping along with certificate authentication to automatically move users to tunnel-group based on certificate matching rules.

 

You can verify which tunnel-groups users are falling into using the "show vpn-sessiondb anyconnect" command on the CLI.

Customers Also Viewed These Support Documents