RE: Web VPN URL-List on ASA (8.0)

Interesting point. I haven't looked into the requirements of the lab but I
wonder how Cisco will handle WebVPN if it's on the exam and you cannot use
ASDM.

________________________________
From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Wednesday, May 13, 2009 9:43 AM
To: Diment, Andrew
Cc: Tomi Amao; ccielab_at_groupstudy.com
Subject: Re: Web VPN URL-List on ASA (8.0)

Thanks Andrew! In that case, its then yet another case of one less technology
to worry about as far as the new lab exam goes for the security then, eh?
Since ASDM is not allowed in the exam.

Thanks,

On Wed, May 13, 2009 at 3:24 PM, Diment, Andrew
<Andrew.Diment_at_qwest.com<mailto:Andrew.Diment_at_qwest.com>> wrote:
The URL-LIST is now gone, you have to use the XML file. The ASA has just
evolved to the point where you have to use the ASDM (at least for WebVPN).
You can create or modify and import an XML file manually but that is a whole
different ball game then configuring an ASA.

Andy

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Tomi
Amao
Sent: Wednesday, May 13, 2009 8:26 AM
To: sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: RE: Web VPN URL-List on ASA (8.0)

Sadiq,

Yea you're right the feature has been limited to the import xml feature as
from ASA version 8.1. I've never really been able to set that up using the
import feature but it is possible, just a lil more difficult in my own
opinion. It's cleaner when done from the ASDM.

Regards,

Tomi

Date: Wed, 13 May 2009 14:22:00 +0100
Subject: Re: Web VPN URL-List on ASA (8.0)
From: sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>
To: tomiground_at_hotmail.com<mailto:tomiground_at_hotmail.com>
CC: wmontoya_at_divixsa.com<mailto:wmontoya_at_divixsa.com>;
ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>

Tomi,

Yes, I get this feeling that it would be easier with from the ASDM interface.
But I also think if its available from the ASDM, then it should be also
configurable via the CLI. I will give the ASDM a go, and see what config that
generates on the CLI config.

Farouq,

I am referring to url-lists (webvpn bookmarks). I am suspecting my browser to
be shagged. I will install FF, see if that works.

Waldir,

As pointed out by Tomi, that command seems to be depricated on the 8.x code it
seems. See below for a log message generated when I try to do that. I have
read about an option to import the list using xml, could it be that they have
restricted this feature to the import method then?

Thanks a mil guys for taking out time to look at the this!

Sadiq

VPN(config)# group-policy WEBVPN attributes VPN(config-group-policy)#
vpn-tunnel-protocol webvpn VPN(config-group-policy)# webvpn
VPN(config-group-webvpn)# url-list ?

config-group-webvpn mode commands/options:
 none Specify an empty list of WebVPN servers/URLs
 value Specify a list of WebVPN servers/URLs VPN(config-group-webvpn)#
url-list value WEB_URL_LIST
ERROR: No url-list "WEB_URL_LIST" exists.

On Wed, May 13, 2009 at 2:12 PM, Tomi Amao
<tomiground_at_hotmail.com<mailto:tomiground_at_hotmail.com>> wrote:

Hi Walid,

Yea this would work. But from ASA version 8.1 the url-list command has been
deprecated. So personally i feel learning how to go about it with the ASDM
would be a good choice.

Regards,

Tomi

Date: Wed, 13 May 2009 08:08:02 -0500
Subject: Re: Web VPN URL-List on ASA (8.0)
From: wmontoya_at_divixsa.com<mailto:wmontoya_at_divixsa.com>
To: tomiground_at_hotmail.com<mailto:tomiground_at_hotmail.com>
CC: sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>;
ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>

Under the group policy, then under webvpn you can tye url-list value "name"

group-policy test attributes
 vpn-access-hours none
 vpn-simultaneous-logins 700
 vpn-tunnel-protocol webvpn
 webvpn
 url-list value test

The smart-tunnel is something they came with to solve some issues about web
applications through the webvpn.

2009/5/13 Tomi Amao <tomiground_at_hotmail.com<mailto:tomiground_at_hotmail.com>>

Hi Sadiq,

Well url-list no longer works like it used to in previous ASA versions. Now
u'd be better off configuring it from the ASDM. Enable ASDM on your ASA and
under remote-access i believe, configure your bookmarks and attach to your
group-policy that would get your url-list up. Also some advanced customization
techniques can be applied from the ASDM to provide a better look-and-feel.

Regards,

Tomi

> Date: Wed, 13 May 2009 12:43:00 +0100
> Subject: Web VPN URL-List on ASA (8.0)
> From: sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>
> To: security_at_groupstudy.com<mailto:security_at_groupstudy.com>;
ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>

>
> I have been trying to get URL-Listing on 8.0 code and having a tough
> time doing this. Also. when portforwarding is envoked on the PC, the
> page just hangs and nothing appears in the dialog box that launches on
> the webbrowser (after the I successfully log into the WebVPN page),
> although ASA says the vpn-session is established and connected. See sample
config for 8.0 below:
>
> username WEBUSER password oW41BWsG68c8N2FO encrypted
>
> webvpn
> enable Public
> port-forward PORTFORWARD 2023 191.1.118.10 telnet tunnel-group-list
> enable
>
> group-policy WEBVPN internal
> group-policy WEBVPN attributes
> vpn-tunnel-protocol webvpn
> webvpn
> port-forward name PORTFORWARD
> port-forward auto-start PORTFORWARD
> url-entry enable
>
> tunnel-group WEBVPN type remote-access tunnel-group WEBVPN
> general-attributes default-group-policy WEBVPN tunnel-group WEBVPN
> webvpn-attributes group-alias WEB enable
>
>
> Anyone knows if URL_List is even supported? They seem to be talking about
> some "Smart tunnels" feature. Is this like a replacement for the URL-List?
I
> simply just dont see any information related to url-list on the config
guide
> for 8.0
>
> Thanks as usual guys,
> Sadiq
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
Received on Wed May 13 2009 - 09:57:36 ART