Configuring and applying smart tunnel policy – Cisco ASA 5505 User Manual
Page 1642
74-56
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 74 Configuring Clientless SSL VPN
Configuring Application Access
•
Start smart tunnel access automatically upon user login.
•
Enable smart tunnel access upon user login, but require the user to start it manually, using the
Application Access > Start Smart Tunnels button on the clientless SSL VPN Portal Page.
Restrictions
These options are mutually exclusive for each group policy and username. Use only one.
The following smart tunnel commands are available to each group policy and username. The
configuration of each group policy and username supports only one of these commands at a time, so
when you enter one, the ASA replaces the one present in the configuration of the group policy or
username in question with the new one, or in the case of the last command, simply removes the
smart-tunnel command already present in the group policy or username.
Detailed Steps
Configuring and Applying Smart Tunnel Policy
The smart tunnel policy requires a per group policy/username configuration. Each group
policy/username references a globally configured list of networks. When the smart tunnel is turned on,
you can allow traffic outside of the tunnel with the use of 2 CLIs: one configures the network (a set of
hosts), and the other uses the specified smart-tunnel network to enforce a policy on a user. The following
commands create a list of hosts to use for configuring smart tunnel policies:
Command
Purpose
Step 1
smart-tunnel auto-start
list
OR
smart-tunnel enable list
OR
smart-tunnel disable
OR
no smart-tunnel [auto-start list | enable list |
disable]
Starts smart tunnel access automatically upon user
login.
Enables smart tunnel access upon user login, but
requires the user to start smart tunnel access
manually, using the Application Access > Start
Smart Tunnels button on the clientless SSL VPN
portal page.
Prevents smart tunnel access.
Removes a smart-tunnel command from the group
policy or username configuration, which then
inherits the [no] smart-tunnel command from the
default group-policy. The keywords following the
no smart-tunnel command are optional, however,
they restrict the removal to the named smart-tunnel
command.
Step 2
Refer to section that addresses the option you want to use.