Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 4

5. Connection Profile vs Group Policy

Hello guys, welcome to another video. This one should be a good video. We are going to talk about going to be on the Sam and we are going to go over connection profile versus the group policies and how they actually work. So let’s go ahead and go to my Aspiration ACM, I have it right here. Let’s go and refresh it because I configure something. So over here on the ASCM the way that you can go to the configure a remote SSL VPN is by going to configuration, remote access VPN and here’s everything. So the first thing that we need to configure whenever we configure an SSL clientless VPN is going to be a connection profile and what is a connection profile guys? Well a connection profile are the pre login policies basically and they’re also called tonal groups and it is basically how the user is going to authenticate which URL the user is going to use to connect to the SSL clientless VPN access, all of that. Like I said, the connection profiles are the pre login policy like how to authenticate how long the password needs to be, the custom URL that user is going to have to access and all that good stuff. And also how is the user going to authenticate, is it going to be using AAAA server, is it going to be using LDAP, is it going to be using logo users?

That also goes into the connection profiles because it is the pre login policies and then we have the other part which is group policies. Well group policies are the post login policies which are permissions that the user have in that group policy authorization where you have access to restriction, what we don’t have access to and these are apply after login. You could also to those group policies, you can either add BOOKMARKS protocols like SSH, Https so you can configure a lot of stuff, you can even look at it. If you’re going to add one you can see that there’s other options that you can add to the group policies. So also what kind of protocol is that group of people and group policies going to have access to? So this is post login policies, web ACL like which ACL are we going to be using to allow him the access hours that this user is allowed to get in?

How many simultaneous logins is the user or the users are allowed to have? Do you want to restrict VLAN connection profile lock if you want to do a maximum connection time? All of that good stuff is in here and also you can add stuff from the portal as well. So group policies you can add a bookmark list, URL, entry file access control if you want to control that. Over here you can control your smart tunnel which I’m going to make another video about smart tunnel and plugins and there is more, even more options like you have session settings login settings customizations. So you have all of that stuff that you can do from the group policy. And this is post login policy. So the group policy is post login policies and connection profiles are pre login policies. So connection profiles are before the login and group policies are after the user logs in. And there are a couple of connection profiles, default policies. Over here we have the default RA group policy. And this is for remote access. It says right here default RA for remote access group. So this connection profile is the default for remote access VPN. This one over here is the default for web VPN. So for SSL VPN. For client SSL VPN?

This is the default web VPN group. That’s what it’s called, that’s the default policy. And what happens is when for this group, for these default policies, and you can see that the group policy, there’s a default as well, which is for this default group policy is attached to these two connection profile policies. So if you go into this default remote access group, you can see that everything is pre configured, ready, you’re able to edit it, but you cannot remove it. And you can see that the default group policy right here is the default group policy and it has enabled the clients as a VPN and all that good stuff. You can see that we have also a default web VPN and it has a default policy as well attached to it. And this enabled clientless SSL VPN product as well for these users that are in here. So if you want to, you don’t have to really. Let’s see if we are able to actually connect. Let’s go into my Windows device over here so we can keep talking about this pre login policies and post login policies. So let’s go into my Windows device that I have over here. Let me see what’s my IP address? I don’t think he has the correct IP address. He needs to be one and two, one two. Like I said, it doesn’t have the correct IP address. And then the default gateway 168 one one. The first step that I always do is before I connect, I want to verify that I’m able to reach 21 one. I’m able to do that. So let’s go ahead and go into the browser and see if we are able to go into 21 21 page. Let’s go back details going to the page. Anyways, it’s not secure.

Just going to the page and there we go. So we are able to get into this SSL VPN and that’s thanks to the default connection profiles that we have over here, that one VPN profile has the, since it has the default group policies. So the connection profile like I said, is the pre login policies. And you can see since we have a default right here and we cannot delete it, but we can edit it. So there’s a default web policy and if we go into the group policies, we have the default group policy as well. So let’s see, let’s go over here into connection profile. So let’s go ahead and see who has access to this and see if we are able to log in. And you can see that the pre login policy is using AAA. It’s not using AAA, it’s using local the local it’s using AAA but it’s using the local one. So let’s see if we are able to log in with one of the users. Let’s go into local users. Let’s see if we are able to log in with this user froze. Let’s give it 1 second. There we go. See if we’re able to log in. There we go.

So I’m able to log in over here and this is due to because we have a default group policy and that’s why it is good for you to edit this group policy if that’s the only policy that you have. You can edit and just remove the access to anybody. And you can see right here we have access to any connect and some web applications but we don’t have any BOOKMARKS. So if we want to edit what’s in here right, you need to go into the group policy because this is post login. So this is after you log in. So we need to go ahead and edit the group policy. So let’s go ahead and edit the default group policy. You can create a banner welcome to default group policy. Let’s go ahead and press OK, save it and all we have to do over here is refresh it. Refresh it doesn’t show it. We probably have to log out and then log back in. Here we go, welcome to default group policy. I spelled default incorrectly but that’s fine. There we go. It gives you the banner welcome to that. And also you can even do more options and you can see that it gives you three. So you’re able to simultaneously log in from three.

You are able to have three connections. So if you go over here, if you go to this going to the web page, you’re able to log in three times. So you can see so we still have a connection right here. Actually it locked me out. So it looks like this simultaneously login. It doesn’t let me that’s because probably because I don’t have that SSA active. But you can see, you can edit everything you want from this default group policy. From over here. You can add BOOKMARKS if you want to. So let’s go ahead and manage that and just say let’s go ahead and add a new one. It’s called BOOKMARKS and add it and let’s go ahead and add a URL which is going to be 170, 216, one, two okay, apply it and let’s go over here and go to so it kicked me out so it’s going to ask her. So it’s not letting me log in. So welcome. Did I not add that? Let’s go and go back. Manage. Add BOOKMARKS one by two. There we go. That’s in there. Applied. Was it saved? Yes, it was safe. Why is it not letting me log in? Let’s go ahead and go into monitoring and let’s go ahead and go into VPN monitoring and we see. We don’t have a session over mode access. Let’s see if you say that we have a session. Right here it is trying to see parsing and displaying the latest monitoring. Come on. And it looks like we have two active and the peak concurrent is two. That’s because of my this is because of the license that I have right now for this ASA. I don’t have a license yet for the ASA. It looks like it froze.

So let’s leave it there. Sessions just say client list refresh and it’s stuck on 97. Log out all the sessions. Let’s see if you’re able to log in now. So there we go. Now we are able to log in and that should give me let’s do a refresh. It looks like the monitoring is not working. That is a little bit too slow. Okay, so there you go. That’s how you are able to configure group policies and all that good stuff. So now if we want to configure our own policy, what we could do is the first one that you want to add one is going to be for the connection profile. So let’s go ahead and create a pre login first and then we create the post login and then we attach a username to the group policy. So over here, let’s just call it Remote Access policy. We’re not going to have an alias. We are going to use a local DNS. Let’s just leave it as default. And for the group policy, we want to add our own policy. So let’s create this group policy. And there we go. Let’s go ahead and click okay, no. Yes. And also we want to make sure that we enable this default policy. Even if you want to disable the default group policy, you can go ahead and do that. So now since we created this pre login, let’s go ahead and edit the post login, which is the group policy that we created inside the connection profile. So let’s go ahead and go into group policy.

This one over here and the banner right now it is set for inherit. And inherit means that it’s going to take it from the default group policy. And the default group policy has a banner of welcome to default group policy. So if leave it as inherit, that’s what it’s going to take. And also from over here, more post login configuration that you can do. But we are going to leave this. We are going to leave it like that and let’s see what else we can do. Log in settings. We’re going to leave the rest like that. So let’s go ahead and make this a little bit bigger and let’s go ahead and apply it and save it. And now let’s go ahead and just assign and let’s go ahead and sign a user to it. Let’s go ahead and assign Oscar to it, apply it, save it. So now let’s go ahead and go into my Windows device and let’s go ahead and log out. And let’s go ahead and log on with Oscar password Cisco. So as you can see it says welcome to default Group policy because it is taking like I said, it is taking this inherited banner from the default policy. So if we just go ahead and check this and let’s just go ahead and save it, apply it, save it and we go back to my Windows device and we log out since it’s not inherent that banner from the default policy, you can say it did not show it over here because it is not inherent.

And we can just go ahead and customize it and say welcome to Group policy, okay? And apply it, save it, Windows device, let’s go ahead and log out. Then we want to log back in. And there we go. Now it says welcome to group policy. As you can see, it is not inherited those settings from default Group policy. I created my own. Okay, so as you can see, we’re here. Let’s go ahead and go into Group policy and create a new post login policy and a new post login policy that I want to set up. Let’s see if we go into the portal, let’s go ahead and add a bookmark. And we don’t want to inherit, we want to have our own BOOKMARKS. And right now it is not not showing any BOOKMARKS for that user. So let’s go ahead and select the BOOKMARKS that we created earlier and apply it and save it. Go into my Windows device logo, log back in. Here we go. Now we have BOOKMARKS over here and we have this web that we just enable on that group policy. So now we have this website that we are able to go to. It is not configured yet. So what we could do, we can go ahead and add that IP address to that website.

So if you go into ifconfig interface zero, 70, 216, one. Okay, that’s good. Let’s go ahead and go into my Windows device and you can see right here, it is unable to get into that. Let’s go and try it again. And we should be able to get to that website now that we configure that IP address or you say going to, it should do it unable to. I think I misconfigure that because it is saying 112. So let’s go ahead and go into my ASDM Group Policy portal and over here, let’s go ahead and scroll to this side. Let’s go and say manage. Let’s go ahead and refresh it. Go ahead and go to that website now and let’s see if it’s still saying twelve. So let’s go ahead and log out and then it’s going to log back in. Password cisco. There we go. Going to the bookmark. Let’s go into the website. Come on, come on, come on. It’s just 172 16. One, two. Why is that? Let’s go ahead and manage it. Edit, edit. Two. Okay, apply and go back. It looks like it’s not saving it. Okay, I want that too. Good.

Go ahead and turn my Windows device and refresh it. Go into that website and there we go. So now we’re able to reach out to that website. That’s good. So what else can we do? Let’s see if we are able to remove this. We only want this user to have access to only Http and none of the other ones. No FTP, no CIF and no Https. So let’s go ahead and go into the group policy. I believe that’s where it is. And from this group policy, let’s go into the portal right here. I believe. Smart. Single auto sign on to the server. File server entry. Let’s go ahead and disable that. Disable that. Disable that as well. Let’s go ahead and apply it and save it. Let’s go ahead and refresh it. It’s still saying that I have this. Let’s go ahead and log in and log back in. And there you go. Now I remove FTP and also CIFS. Let’s go and see if we are able to remove Https because I don’t want that user to have access to Https. I’m not sure, but let’s go ahead and do URL entry and let’s remove the URL entry from over here. Let’s go ahead and apply it. Refresh still over there. Log out and then log back in.

There we go. The URL entry, it is now gone. So what happens if we go into the group policy and then we say, let’s go into the portal and we want to inherit that bookmark list? What is it going to happen? Let’s see. Let’s go ahead and go into that website. Refresh. Let’s go ahead and log out and then just log back in. So if we inherit, you should take it from this group policy and this default group policy. It does have bookmark and everything is enabled over here, but it seems like it is not inherent for some reason. So inherit only the bookmark list. It is inherited. Let’s go ahead and inherit the URL, inherit everything else, apply it and save it. So if we inherit anything, it’s going to inherit from the group policy because it is on top. So you refresh it? No, we’re going to have to log out and log back in. Just want to show you guys how to inherit works. And there you go.

Now we have this bar and we have access to Https, CIF and FTP. And that’s because we are inheriting those options as you can see right here from the default group policy. So if we go into default group policy and we want to disable all of this, we can do that from the group policy. Since this group policy that we created is taking all the post login policy from this default group policy over here. So now if we just go ahead and log out and log back in. I’ve done that like 100 times. That’s good. There we go. Now it is done. So even though you can see that my username Askr is applied to this post login policy or to this group policy, it is still if we need to edit it from the default group policy because it is being inherited from that default group policy. Okay? And that’s how inherit works. All right, so looking good. Let’s see what else we are able to do. Let’s go ahead and go into connection profiles. Open this right here. And one other thing that you could do for the pre login policies is that you can allow the user to select connection profile on the login page.

Cannot be enabled unless there is a connection alias. Let’s go ahead and edit this group. Apply it. Let’s go ahead and allow apply it, save it. Let’s go ahead and log out and we are going to now you can see this drop down right here so you can get it from a couple of les. So if you want to let’s go ahead and enable this right here. Just enable it for the web VPN. That’s for the SSL right now. And if you go over here and we create an alias, we can just say this is default, fly it, save it. Now let’s go into my Windows device. Let’s go ahead and refresh it. And I would just see that we have two group policies that we can use. Either the default that I spell it incorrectly again or the group one. So those are pre policies that you can have and pre policies like I said, or pre login policies are connection profiles and post login policies are group policies. Okay, so I will leave this set for this video guys. Thank you guys for watching this video. I hope you guys enjoy this video and hopefully you guys learn something from what’s the difference between connection profiles and group policies. Connection profiles are preloading policies and group policies are post login policies. So thank you guys for watching this video. I hope you guys enjoyed and if you guys enjoyed this video, why don’t you guys go ahead and subscribe to my channel also correct there’s.

• Category: Uncategorized