Cisco FirePOWER ASA 5500 series Configuration Manual page 576
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Tunnel Groups
The WebVPN tunnel-group-list must be enabled for the (dropdown) group list to appear.
Note
To specify incoming URLs or IP addresses for the group, use the group-url command. Specifying a
Step 5
group URL or IP address eliminates the need for the user to select a group at login. When a user logs in,
the security appliance looks for the user's incoming URL or address in the tunnel-group-policy table. If
it finds the URL or address and if group-url is enabled in the tunnel group, then the security appliance
automatically selects the associated tunnel group and presents the user with only the username and
password fields in the login window. This simplifies the user interface and has the added advantage of
never exposing the list of groups to the user. The login window that the user sees uses the customizations
configured for that tunnel group.
If the URL or address is disabled and group-alias is configured, then the dropdown list of groups is also
displayed, and the user must make a selection.
You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be
enabled or disabled individually. You must use a separate group-url command for each URL or address
specified. You must specify the entire URL or address, including either the http or https protocol.
You cannot associate the same URL or address with multiple groups. The security appliance verifies the
uniqueness of the URL or address before accepting the URL or address for a tunnel group.
For each group URL or address, enter a group-URL command. You can optionally explicitly enable (the
default) or disable each URL or alias:
hostname(config-tunnel-webvpn)# group-url url [enable | disable]
hostname(config-tunnel-webvpn)#
For example, to enable the group URLs http://www.cisco.com and http://192.168.10.10 for the
tunnel-group named RadiusServer, enter the following commands:
hostname(config)# tunnel-group RadiusServer type webvpn
hostname(config)# tunnel-group RadiusServer general-attributes
hostname(config-tunnel-general)# authentication server-group RADIUS
hostname(config-tunnel-general)# accounting-server-group RADIUS
hostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes
hostname(config-tunnel-webvpn)# group-alias "Cisco Remote Access" enable
hostname(config-tunnel-webvpn)# group-url http://www.cisco.com enable
hostname(config-tunnel-webvpn)# group-url http://192.168.10.10 enable
hostname(config-tunnel-webvpn)#
For a more extensive example, see
To specify the DNS server to use for a WebVPN tunnel group, enter the dns-group command. The
Step 6
default value is DefaultDNS:
hostname(config-tunnel-webvpn)# dns-group {hostname | ip_address}
hostname(config-tunnel-webvpn)#
The dns-group command resolves the hostname to the appropriate DNS server for the tunnel group. For
example, to specify the use of the DNS server named server1, enter the following command:
hostname(config)# name 10.10.10.1 server1
hostname(config-tunnel-webvpn)# dns-group server1
hostname(config-tunnel-webvpn)#
(Optional) To specify a VPN feature policy if you use the Cisco Secure Desktop Manager to set the
Step 7
Group-Based Policy attribute to "Use Failure Group-Policy" or "Use Success Group-Policy, if criteria
match," use the hic-fail-group-policy command. The default value is DfltGrpPolicy.
hostname(config-tunnel-webvpn)# hic-fail-group-policy
Cisco Security Appliance Command Line Configuration Guide
30-22
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
Customizing Login Windows for WebVPN Users, page
name
30-23.
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
