Re: [OSL | CCIE_Security] ASA and Group URL

[Tyson Scott]

There is no difference between the first and the third.  Just the difference
of using hostname versus IP.

 

But beyond that the three types of URI's shown accomplish the same task.
All that matters is that the URI is unique for each group.

 

when the ASA receives the incoming HTTP connect request it will look at the
URI field of the HTTP header and associate the request with the appropriate
group, so it doesn't matter if you use https://asa.cisco.com/sslcient or
https://sslclient.asa.cisco.com.  It just matters that whatever you use is
consistent for your own sanity.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Pipatpong
Samranpit
Sent: Saturday, October 02, 2010 11:24 AM
To: kingsley.char...@gmail.com
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] ASA and Group URL

 

Hi Kings,

 

Please explain the format for the option 2
"https://sslclient.asa.cisco.com";.

 

Thanks and Regards,

Pipatpong

 

  _____  

From: pipatpong_samran...@hotmail.com
To: kingsley.char...@gmail.com
CC: ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] ASA and Group URL
Date: Sat, 2 Oct 2010 07:07:17 -0800

Hi Kings,

 

Big thanks for you suggestion. I may specify for wrong URL in my question.
It still need IP address or FQDN of the ASA in my URL.

There are three formats of group URL strings are supported from Cisco
document:

 

1. https://asa.cisco.com/sslclient

2. https://sslclient.asa.cisco.com

3. https://171.69.37.70/sslclient

 

I can configure all of them and clear about the option #1 and #3 but do not
understand the option #2 "https://sslclient.asa.cisco.com";.

Do I need to configure "group-alias sslclient" when I configure WebVPN using
the CLI for group-url?

 

tunnel-group SSLCLIENT webvpn-attributes

 group-alias sslclient enable

 group-url https://sslclient.asa.cisco.com enable

 

Thanks and Regards,

Pipatpong

 

  _____  

Date: Sat, 2 Oct 2010 20:07:50 +0530
Subject: Re: [OSL | CCIE_Security] ASA and Group URL
From: kingsley.char...@gmail.com
To: pipatpong_samran...@hotmail.com
CC: ccie_security@onlinestudylist.com

For a particular connection profile (tunnel-group), you can configure more
than one group-url. When the WebVPN requests comes to ASA through the WebVPN
enabled interface and if the URL matches anyone of the configured group-url
in the tunnel-group, then that tunnel group is used for the WebVPN.

In the URL that you have given, they have specified group-url in the form of
FQDN and IP address. 

It's not like there is only three format. It can one, two, three or more
than that.


>From 8.0, you can configure URL-list no more using CLI. You can configure it
using ASDM which uses xmls. ASDM is not the scope of CCIE and you can ignore

URL-lists. 

But still you can enter the URLs in the browser tab in the portal and also
you need to e aware of WebVPN filter of URLs and port forward.


With regards
Kings

On Sat, Oct 2, 2010 at 5:40 PM, Pipatpong Samranpit
<pipatpong_samran...@hotmail.com> wrote:

Hi all,

 

I may specify wrong url for my question and I just know that three formats
of group URL strings

are supported as the following url:

 

 
<http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094ab
cb.shtml>
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abc
b.shtml

 

Figure 3: Configure Group-URLs for the Connection Profile

 

Note: In this example, the group-url is configured in three different
formats. The user can enter any one of them in order to connect to the ASA
through the sslclient connection profile.

 

Could anyone help me to give more explain about three formats of group-url?

 

Cheers,

Pipatpong

 

  _____  

From: pipatpong_samran...@hotmail.com
To: ccie_security@onlinestudylist.com
Date: Sat, 2 Oct 2010 02:45:10 -0800
Subject: [OSL | CCIE_Security] ASA and Group URL



Hi,

 

I want to configure WEBVPN on Cisco ASA for two different groups of user

 

1. Group "CustomerA", url = https://www.CustomerA.com, tunnel-group
"CustomerA"

2. Group "CustomerB", url = https://www.CustomerB.com,  tunnel-group
"CustomerB"

 

How do I allow user to access the appropriate tunnel-group by the above URL
without to

specify the IP address or FQDN of the ASA as part of the URL?

 

Cheers,

Pipatpong

 

 

 

 

 

 

 

_______________________________________________ For more information
regarding industry leading CCIE Lab training, please visit www.ipexpert.com 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com