Hi Tyson, Thanks, you answer my question. It is absolutely clear. Thanks and Regards,Pipatpong From: [email protected] To: [email protected]; [email protected] CC: [email protected] Subject: RE: [OSL | CCIE_Security] ASA and Group URL Date: Sat, 2 Oct 2010 11:31:57 -0400
There is no difference between the first and the third. Just the difference of using hostname versus IP. But beyond that the three types of URI's shown accomplish the same task. All that matters is that the URI is unique for each group. when the ASA receives the incoming HTTP connect request it will look at the URI field of the HTTP header and associate the request with the appropriate group, so it doesn't matter if you use https://asa.cisco.com/sslcient or https://sslclient.asa.cisco.com. It just matters that whatever you use is consistent for your own sanity. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Pipatpong Samranpit Sent: Saturday, October 02, 2010 11:24 AM To: [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ASA and Group URL Hi Kings, Please explain the format for the option 2 "https://sslclient.asa.cisco.com";. Thanks and Regards, Pipatpong From: [email protected] To: [email protected] CC: [email protected] Subject: RE: [OSL | CCIE_Security] ASA and Group URL Date: Sat, 2 Oct 2010 07:07:17 -0800 Hi Kings, Big thanks for you suggestion. I may specify for wrong URL in my question. It still need IP address or FQDN of the ASA in my URL. There are three formats of group URL strings are supported from Cisco document: 1. https://asa.cisco.com/sslclient 2. https://sslclient.asa.cisco.com 3. https://171.69.37.70/sslclient I can configure all of them and clear about the option #1 and #3 but do not understand the option #2 "https://sslclient.asa.cisco.com";. Do I need to configure "group-alias sslclient" when I configure WebVPN using the CLI for group-url? tunnel-group SSLCLIENT webvpn-attributes group-alias sslclient enable group-url https://sslclient.asa.cisco.com enable Thanks and Regards, Pipatpong Date: Sat, 2 Oct 2010 20:07:50 +0530 Subject: Re: [OSL | CCIE_Security] ASA and Group URL From: [email protected] To: [email protected] CC: [email protected] For a particular connection profile (tunnel-group), you can configure more than one group-url. When the WebVPN requests comes to ASA through the WebVPN enabled interface and if the URL matches anyone of the configured group-url in the tunnel-group, then that tunnel group is used for the WebVPN. In the URL that you have given, they have specified group-url in the form of FQDN and IP address. It's not like there is only three format. It can one, two, three or more than that. >From 8.0, you can configure URL-list no more using CLI. You can configure it using ASDM which uses xmls. ASDM is not the scope of CCIE and you can ignore URL-lists. But still you can enter the URLs in the browser tab in the portal and also you need to e aware of WebVPN filter of URLs and port forward. With regards Kings On Sat, Oct 2, 2010 at 5:40 PM, Pipatpong Samranpit <[email protected]> wrote: Hi all, I may specify wrong url for my question and I just know that three formats of group URL strings are supported as the following url: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abcb.shtml Figure 3: Configure Group-URLs for the Connection Profile Note: In this example, the group-url is configured in three different formats. The user can enter any one of them in order to connect to the ASA through the sslclient connection profile. Could anyone help me to give more explain about three formats of group-url? Cheers, Pipatpong From: [email protected] To: [email protected] Date: Sat, 2 Oct 2010 02:45:10 -0800 Subject: [OSL | CCIE_Security] ASA and Group URL Hi, I want to configure WEBVPN on Cisco ASA for two different groups of user 1. Group "CustomerA", url = https://www.CustomerA.com, tunnel-group "CustomerA" 2. Group "CustomerB", url = https://www.CustomerB.com, tunnel-group "CustomerB" How do I allow user to access the appropriate tunnel-group by the above URL without to specify the IP address or FQDN of the ASA as part of the URL? Cheers, Pipatpong _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
