Configure the Adaptive Security Appliance to Support WebVPN
Configure WebVPN servers and URLs

Enable WebVPN Protocol for Group Policy
Use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode to configure a VPN tunnel type for the user or group . The following types are available:

  • IPSec – Negotiates an IPSec tunnel between two peers, such as a remote access client or another secure gateway. Creates security associations that govern authentication, encryption, encapsulation, and key management.
  • Ltp2/IPSec –Provides interoperability with the Microsoft VPN client.
  • webvpn – Provides VPN services to remote users via an HTTPS-enabled web browser, and does not require a client.

Enable URL Entry for WebVPN Users
Use the webvpn command in group-policy configuration mode or in username configuration mode to enter the webvpn mode . These webvpn commands apply to the username or group policy from which they are configured. webvpn commands for group policies and usernames define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter.

Webvpn mode, which is entered from global configuration mode, lets the administrator configure global settings for WebVPN. Webvpn mode, described in this section, and which is entered from group-policy or username mode, lets the administrator customize a WebVPN configuration for specific users or group policies. WebVPN does not need to be configured to use e-mail proxies.

Use the functions command in webvpn mode to enable file access and file browsing, MAPI Proxy, and URL entry over WebVPN for this user or group policy . To remove a configured function, use the no form of this command. To remove all configured functions, including a null value created by issuing the functions none command, use the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting function values, use the functions none command. Functions are disabled by default.

The url-entry parameter enables or disables user entry of URLs. When enabled, the Adaptive Security Appliance still restricts URLs with any configured URL or network ACLs. When URL entry is disabled, the ASA restricts WebVPN users to the URLs on the home page. Use the url-list command in webvpn mode, which is entered from group-policy or username mode, to apply a list of WebVPN servers and URLs to a particular user or group policy. To remove a list, including a null value created by using the url-list none command, use the no form of this command. The no option allows inheritance of a value from another group policy.

To prevent inheriting a URL list, use the url-list none command. Before the url-list command can be used in webvpn mode to identify a URL list that to display on the WebVPN home page for a user or group policy, the list must be created. Use the url-list ommand in global configuration mode to create one or more lists.

Defining URLs with the url-listCommand
Use the url-list command in global configuration mode to configure a set of URLs for WebVPN users to access . To configure a list with multiple URLs, use this command with the same listname multiple times, once for each URL. To remove an entire configured list, use the no url-list listname command. To remove a configured URL, use the no url-list listname url command. To configure multiple lists, use this command multiple times, assigning a unique listname to each list. To allow access to the URLs in a list for a specific group policy or user, use the listname created here with the url-list command in webvpn mode.

The example in Figure illustrates the various parameters which must be configured on the Adaptive Security Appliance to enable WebVPN access to the resources on the private network. Files access via CIFS is configured in the same basic manner.