07-16-2018 12:24 PM - edited 03-12-2019 05:28 AM
In my companies data center we have an ASA 5525-X running Version 9.6(4)3. This ASA is only being used for VPN both L2L & Anyconnect remote client. I understand how Tunnel Groups & Group Policies work but I'm not certain how to know which Tunnel Group a specific Anyconnect user would be using when they connect. 99% of our Anyconnect users have a specific profile that their clients use but we have an outside contractor that is assigned a different profile that wasn't labeled something obvious like "Contractor-Profile". There are also dozens of anyconnect profiles, tunnel groups & group polices configured on the ASA so there are a lot of possible choices.
Here is what I have confirmed below & I am wondering if this anyconnect user is actually even using a tunnel group at all. I assume he is because my studies indicate that all types of VPNs use tunnel groups. Here is the config. Like I said there are no tunnel groups labeled with an obvious tell tale name that I could use to identify it with this user so I did not include any tunnel groups. I also have access to the ASA via ASDM
---------------------------------------------------------------------------------------
username bob1 password SeIxgEsd2ZRXHSL3 encrypted
username bob1 attributes
vpn-group-policy DenyAllPolicy
vpn-filter value Contractor_VoIP_Vendor
service-type remote-access
group-policy DenyAllPolicy internal
group-policy DenyAllPolicy attributes
vpn-filter value DenyAll
vpn-tunnel-protocol ikev1 ssl-client
access-list Contractor_VoIP_Vendor extended permit ip any4 object-group VoIP_Hosts
Solved! Go to Solution.
07-16-2018 04:44 PM
If you don't specify anything, the ASA uses DefaultWebvpnGroup for AnyConnect connections. You can have users fall into other tunnel-groups using the following methods:
1) Use group-alias and select the "Allow user to select connection profile" option.
2) Create a Tunnel-group-url that directly puts the user into the defined tunnel-group
3) Use certificate to tunnel-group mapping along with certificate authentication to automatically move users to tunnel-group based on certificate matching rules.
You can verify which tunnel-groups users are falling into using the "show vpn-sessiondb anyconnect" command on the CLI.
07-16-2018 04:44 PM
If you don't specify anything, the ASA uses DefaultWebvpnGroup for AnyConnect connections. You can have users fall into other tunnel-groups using the following methods:
1) Use group-alias and select the "Allow user to select connection profile" option.
2) Create a Tunnel-group-url that directly puts the user into the defined tunnel-group
3) Use certificate to tunnel-group mapping along with certificate authentication to automatically move users to tunnel-group based on certificate matching rules.
You can verify which tunnel-groups users are falling into using the "show vpn-sessiondb anyconnect" command on the CLI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide