Solved

Cisco ASA Webvpn Customization Setup

Posted on 2010-11-19
7
1,873 Views
Last Modified: 2012-05-10
Hello,
I am in the process of customizing my new 5505 ASA webvpn for my company. I am having some issues getting the simple task of getting bookmarks setup. I am mainly using the ASDM for all the webvpn setup.

I have 5 or six connection profiles setup for different departments. Each of these are also configured to call back to their own respective group policies.

In the group policies I have them setup to all have their own custom page template and bookmark list.

One of my questions is that there simply are no bookmarks anywhere in the webvpn site. Where are they supposed to be? Anyone have any suggestions to this?

Also, an additional question. I currently have all these connection profiles, but I cannot seem to find a good solution to only let certain users connect to each. I have ldap authentication setup and working.

Thanks!
0
Comment
Question by:bullhog
  • 4
  • 3
7 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 34192263
First, what do you mean by 'there simply are no bookmarks anywhere in the webvpn site'? Do you mean they don't show up when you log onto the webvpn? Your bookmarks are defined *only* via the ASDM, Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Portal -> Bookmarks. If they are defined there and do not show up at login, you've got your Dynamic Access Policies (DAP) misconfigured.

To set certain bookmarks viewable only by certain users, you need to split those users by LDAP membership in a DAP.
0
 
LVL 1

Author Comment

by:bullhog
ID: 34196422
Thanks for the response. What I meant is that the bookmarks do not show up is that after logging in to the site, they do not show up in the home page. I am almost positive the problem is with DAP but I am a little lost with it in ASDM. I tried to setup DAP a while ago but all the help screens I found have.... different information. So I believe this may be causing the issues due to not being able to configure this completely.

The different information being a difference in the "Dynamic Access Policy" screen. My problem is that I do not see the section of the page that lets me define ldap authorization stuff. (Access/Authorization Policy Attributes)

I have ASA v8.2.1 and ASDM v6.2.1. I have attached a screenshot to show you what I mean by a missing section.

Also, I have tried the ASDM on two different computers. One with the client installed and the other just the java app.
DAP.jpg
0
 
LVL 10

Accepted Solution

by:
stsonline earned 500 total points
ID: 34196578
Ignore the default DAP for a minute and Add a new policy with ACL Priority 10. Name it 'test' or something - the goal is to first verify your LDAP setup is working correctly. Once the new policy is created, choose a Selection Criteria of 'User has ANY of the following AAA Attributes values...' then click Add. Change the AAA Attribute Type to LDAP and it should give you one Attribute ID: memberOf. Click on 'Get AD Groups' and make sure you are seeing the correct group info from your AD server. To nail a DAP to a particular AD group, select the correct group here then return to the Edit page. On the Action tab click 'Continue', and on the Bookmarks tab find the bookmark list you want the group to see, then Add it to the right pane. Save those changes and you should be good to go.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 10

Expert Comment

by:stsonline
ID: 34196595
BTW, the LDAP setup is on the same Configuration page under AAA/Local Users, AAA Server Groups.
0
 
LVL 10

Expert Comment

by:stsonline
ID: 34196621
Here's a fairly good link to a Cisco doc regarding configuring DAPs. Keep in mind most of the DAP functionality is geared towards interaction with Cisco Secure Desktop but the basic LDAP stuff is useful for applying specific bookmark lists and such.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html
0
 
LVL 1

Author Comment

by:bullhog
ID: 34196675
Ok... so a side note to this question. The reason I was having so much problems doing any setup with DAP was that I could not see the "add, edit, delete" buttons on the right of the asdm. My screen is set to 1280x1024 so I never imagined that screen resolution could be the issue. I ran ASDM on a seperate computer with 1680x1080 (I dont know if that correct or not...) and I could see the add edit, delete buttons.

What a infuriating reason to have so much problems... I will proceed to set this up and If i have more questions on DAP setup, I will post them here.
0
 
LVL 1

Author Comment

by:bullhog
ID: 34196926
Well, magically things are working how I want them to now. I guess my only question left to be answered is the screen resolution issue. Is there a way to launch asdm in a specific resolution so that it does not try to auto adjust?

I still have the issue that I cannot see certain things unless I am on a computer with an abnormally high screen resolution.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Watchguard Firewall Setup 3 30
AnyConnect to 3rd vpn site 4 51
CISCO ASA 5500 DDNS 4 54
Mac OS 10.12 + VPN 17 285
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now