unexpected behavior with vpn, clientless ssl and smart tunnels on ASA 5510

Similar Questions

• Homepage of vpn clientless ssl after login problem

  Hi all

  I have a problem with my vpn without customer portal.

  I need to configure when a user connects via the portal, something that works very well, it ends up on the home page.

  At the present time there ends up immediately on the anyconnect button.

  With the home page, I say the first button that says 'home '.

  Users should be able to click on "Web Applications", hereinafter 'House '.

  Under 'Web Applications' users must have their button aswell "Anyconnect".

  First of all, I wasn't able to make the portal "Anyconnect" button display in the menu.

  Then after awhile, I realized that when dynamic access policy says "Unchanged" on the page "access method".

  When you change this setting "Client Anyconnect" portal no yard is no longer, I find myself immediately at the start of the anyconnect client.

  When you select 'Portal' get the page of the portal, but the menu anyconnect is missing.

  When you select 'Time-by default-portal' I get the anyconnect button and all the other menus, which is good.

  But I hold the home button to be the default.

  And not the anyconnect, after login button immediately you get the anyconnect start page.

  And then finally and most importantly, when you select 'Time-by default-Anyconnect' you login to the Web portal, anyconnect begins immediately in the menu.

  Something we want the end user to manually (click on "Start Anyconnect") I mean!

  I'm sure that DAP which forces because of the options above.

  But what selection unchanged or anything that does not include Anyconnect, then the anyconnect button went...

  I don't know what I can do to change that.

  Am I missing something?

  I would say that DAP is not necessary, but when I put everything in the DAP default by default, then the anyconnect button went into the menu...

  Kind regards

  Robin

  Here is my configuration:

  attributes of Group Policy GP_company_intranet_portal

  value x.x.x.x WINS server

  value x.x.x.x DNS server

  Protocol-tunnel-VPN-client ssl clientless ssl

  Split-tunnel-policy tunnelall

  company.local value by default-field

  value of IPP_SSLVPN01 address pools

  WebVPN

  the value of the URL - list BML_company_intranet_portal

  Disable http proxy

  AnyConnect Dungeon-Installer installed

  AnyConnect ask to activate default webvpn

  value of customization CO_company_intranet_portal

  gzip http-comp

  hidden actions no

  activate ActiveX-relay

  disable file entry

  exploration of the disable files

  disable the input URL

  disable the auto-signon chip-tunnel

  type tunnel-group TG_company_portal_localauth remote access

  tunnel-group TG_company_portal_localauth webvpn-attributes

  personalization CO_company_intranet_portal

  allow group-url https://portal.company.be

  xxxxxxxxxx of encrypted password 0 privilege testaccount user name

  attributes of testaccount user name

  VPN-group-policy GP_company_intranet_portal

  Protocol-tunnel-VPN-client ssl clientless ssl

  disable the password-storage

  value of group-lock TG_company_portal_localauth

  type of remote access service

  Troubleshooting when you are connected to, just to check if the right group strategy is used:

  FW-company # display webvpn vpn-sessiondb

  Session type: WebVPN

  User name: testaccount index: 510

  Public IP address: x.x.x.x

  Protocol: without customer

  License: AnyConnect Premium

  Encryption: 3DES hash: SHA1

  TX Bytes: bytes 114897 Rx: 16087

  Group Policy: GP_company_intranet_portal

  Tunnel of Group: TG_company_portal_localauth

  Connect time: 14:50:56 GMT + 2 Thursday, October 25, 2012

  Time: 0 h: 00 m: 03 s

  Inactivity: 0 h: 00 m: 00s

  Result of the NAC: unknown

  Map VLANS: VLAN n/a: no

  Hi Robin,

  You can try:

  1. Please remove / disable the rules of RAP and keep only one by default with the default action and parameters (continue). This is to exclude the DAPs as the primary cause.

  2 - GP_company_intranet_portal group policy attributes

  WebVPN

  AnyConnect ask no webvpn default

  Let me know how it goes.

  HTH.

  Portu.

  Please note all useful posts

• Unexpected behavior with the Option "record in the result.

  Hello

  I have unexpected behavior with the Option "record in the result.

  I have a few steps in the subsequence 'X', this subsequence passes a Boolean parameter. According to the value of the parameter I change the "Recorgind results" Option to report it or not. The thing is that if 'result Recorgind' set at race time I modofy by changing the value of Step.ResultRecordingOption to "Enable" and "Disable", the step is not reported until the same sous-suite 'X' is called for the second time (without changing the parameter passed).

  For example: (Preconditon: result Recorgind Option of all value sous-suite x are defined as Disable)

  1 CallSubsequenceX(Parameter: Enable)

  2 CallSubsequenceX(Parameter: Enable)

  3 CallSubsequenceX(Parameter: Disable)

  4 CallSubsequenceX(Parameter: Disable)

  Expected result:

  1. measures have been reported.

  2. measures have been reported.

  3. measures have not been reported.

  4. measures have not been reported.

  Result:

  1. measures would not same value Step.ResultRecordingOption has been changed to 'enable '. (Not Ok)

  2. measures have been reported. (Ok)

  3. measures reported same value Step.ResultRecordingOption has been changed to 'disable '. (Not Ok)

  4. measures have not been reported. (Ok)

  I use TestStand 2013 (5.1.0.226)

  Thanks in advance.

  -Josymar.

  Hi josymar_guzman,

  I just review the sequence and indeed we´re experience unexpected behavior with the Step.ResultRecordingOption callback. By a reason when you run the callback in the expression before each step section, the statement runs only until the next sequence is called, which is not what we want.

  To avoid this, you can place a statement before each step of the sequence, so you can change the State of the Option "record result" for the sequence running (and it is only the following). You can try something like this

  

  where the expression of the statement will be the recall "RunState.NextStep.ResultRecordingOption is YourCondition". With this, we guarantee that the results of the next step will be saved or not. I also remove the expression in the expression prior to each step section, because the condition is now on the statement before each step.

  I tried and it works fine. I´ll set the sequence that you share with me, with the changes. I hope this will help you and solve your problem.

• Weird behavior with Signal to simulate and loops

  I'm having a weird behavior with Signal to simulate and while loops. Attached a photo of my program. The problem I have is that when I use Stop to stop inside while loop, then use to restart the inner loop, simulate Signal instantly generates a bunch of points of data between when I pressed Stop and Go. By example, if I stop for 5 seconds, wait 5 seconds, then press Go, it will instantly generate data for t = 5 t = 10. What I need is for the generation of signals to stop when I press stop and continue where it left off when I press Go. How can I accomplish this? I have no idea why he exhibits the behavior described in the first place.

  Hi optometry.

  Can you give us a screenshot of the configuration window for the VI express to simulate signal? I was able to reproduce the problem when I used "Simulate the time of acquisition" at times, but the VI's are featured as you described you wanted when I used "run as fast as possible." Have you tried this setting?

• Unexpected behavior with the role of OmeSiteAdministrators

  I is currently working on the test of the functionality of the OmeSiteAdministrator role, so we can use it in our Organization.  We run OME 2.0.0.1926.

  I went into preferences - permissions of device group and add a new test user (using members of the edict of OmeSiteAdministrators common task.)  I've provided the correct user and domain name.  Then I went to the section manage permissions of the device group and selected a group that this user must be able to deploy updates and tasks remotely.

  By connecting to the Console as long as this test user I could see all THE devices to Manage - devices.  When I went to Manage - system update I have also able to note all the devices listed in the incompatibilitee section and select any device to bring up the window of the tasks of system update for.

  I looked at the roles of the test user (by clicking the user name in the upper right corner) and saw that he was an OmeSiteAdministrator and OmeUser.  It looks like a clean install of OME adds the BUILTIN\Users group to OmeUsers group.  I deleted the OmeUsers group builtin\Users and then the test user could see that members of a group specified in Manage - system update.

  But when launched test user then the console OME, they could still see all devices to Manage - updating the system, even if the top of the window shows "System Update: filter by: ..  The actually specified group that contains a single device, but the test can view all devices.

  I have logged in as an OmeAdministrator, came back on the device group permissions and see an additional user.
  In modify the members of OmeSiteAdministrators, I see the test user appears twice, both times with the user name and the appropriate domain.  But there under manage group permissions on the device, the user/DOMAIN user that I added, but now also a STRANGER/user (domain is actually 'UNKNOWN' and user is the user name of test).

  It seems that the filter does not always work (it worked only once for the test user.  Each time other than the test user opens the console he showed all devices.)  Also, Im not sure why there is the addition of the UNKNOWN/username user.

  Also, please review read the white paper on delltechcenter.com/ome and see if it offers any help.

  OpenManage Essentials Role-Based Security and implementation

  Thank you

  Rob

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• Unexpected behavior with several structures of events manages the event itself.

  Hi, does anyone have an explanation of the following behavior?

  After 'Boolean 2' is enabled and then disabled the program "freezes". You can always pause the program but nothing does.
  For example, by pressing one of the file, Edit, View, project, Operate, tools, Windows, help or any other object inside the VI.

  This happens if I have two event structures who want to handle the same event, even if the flat sequence should be allowed only one run.

  

  This isn't a bug.

  Structures of the event should be used to handle different events. Given that you have entered your Boolean event in the two structures of the event, the event gets queued both when it occurs. This means one or the other be expected to manage the event and will, by default, lock the application. In the scale-measure of LabVIEW architectures, usually there is a structure of single event that handles all the events and then sends messages to the coast to the rest of the application to manage these events.

  There is a "Table locking" checkbox in the event dialog box which is by default enabled, but you should leave it on because it leads to bad practices otherwise.

• Impossible to establish a VPN between AG241 and WAG54GP2 tunnel

  Hello

  This is my first post on this forum and I send my best regards to everyone!

  I signed up because I have a problem with establishing a VPN tunnel between an AG241 modem/router and a modem/router WAG54GP2 with wireless and VoIP.

  The scenario is simple: both ends have dynamic IP, so I set up an account with dyndns.org for both routers.

  WAG54GP2 has 192.168.1.1/255.255.255.0 AG241 has 192.168.3.254/255.255.255.0 IP and IP.

  In both routers, I turned block anonymous internet requests, so I can ping both routers.

  This is the configuration of WAG54GP2:

  VPN Passthrough
  IPSec PassThrough: activate
  Intercommunication PPPoE: activate
  PPTP PassThrough: enable
  L2TP PassThrough: enable

  IPSec VPN tunnel
  Select the Tunnel: 1
  VPN IPSec tunnel: enabled
  Tunnel name: Office

  Local security group:
  Subnet
  IP: 192.168.1.0
  Mask: 255.255.255.0

  Local security gateway: PVC 1 (ppp0)

  Remote secure group:
  IP: 192.168.3.0
  Mask: 255.255.255.0

  Remote security gateway:
  IP Addr.
  The remote router's public IP address IP address: w.x.y.z.
  Encryption: THE (I also tried 3DES and disabled)
  Authentication: SHA

  Key management:
  Auto. (IKE)
  PFS: enabled
  Pre-shared Key: the password I chose
  Life key: 3600 Sec.

  Advanced settings

  Phase 1
  Mode of operation: main mode (I also tried aggressive mode)

  Proposal1
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Proposition2
  Encryption: ESP_NULL
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Another parameter
  NAT traversal not verified
  NetBIOS broadcast Checked
  Anti-reponse not checked
  Keep-Alive not verified
  If IKE 5 times failedmore
  Not checked

  This is the AG241 configuration:

  VPN Passthrough
  IPSec PassThrough: activate
  Intercommunication PPPoE: activate
  PPTP PassThrough: enable
  L2TP PassThrough: enable

  IPSec VPN tunnel
  Select the Tunnel: 1
  VPN IPSec tunnel: enabled
  Name of the tunnel: user 1

  Local security group:
  Subnet
  IP: 192.168.3.0
  Mask: 255.255.255.0

  Local security gateway: PVC 1 (ppp0)

  Remote secure group:
  IP: 192.168.1.0
  Mask: 255.255.255.0

  Remote security gateway:
  Any

  Key management:
  Auto. (IKE)
  PFS: enabled
  Pre-shared Key: the same password I put on the WAG54GP2
  Life key: 3600 Sec.

  Advanced settings

  Phase 1
  Mode of operation: main mode (I also tried aggressive mode)

  Proposal1
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Proposition2
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Another parameter
  NAT traversal not verified
  NetBIOS broadcast Checked
  Anti-reponse not checked
  Keep-Alive not verified
  If IKE 5 times failedmore
  Not checked

  When I click on Connect the WAG54GP2 router, do not access and in the newspapers, I see:

  2009 07-30 T 16: 16:10 + 01:00 IKE ["Board"] Tx > MM_I1: SA w.x.y.z.

  2009 07-30 T 16: 16:20 + 01:00 IKE ["Board"] ERROR: message w.x.y.z. port 500: connection refused

  If I use the dynamic FQDN instead of the dynamic IP (w.x.y.z.) change of message for:

  2009 07-30 T 16: 46:16 + 01:00 IKE ["Board"] ERROR: problem of remote domain name Security Gateway!

  Is there someone who could help me build this tunnel?

  A big thank you to everyone who will help me!

  Cinghiuz

  If you are Encountering difficulties connecting to the VPN Tunnel using a router ADSL modem you should see this

  Also, make sure that you have the latest firmware installed on your entry door and change the MTU setting...

• How to end a vpn connection from site to site on ASA 5510

  Hi guys,.

  I would like to know if there is a command that I can use to break a connection from site to site and restart it whenever I want.

  I don't want to use the close command since I use the specific interface as an exit point on the internet.

  In this case, you can configure just one incomplete crypto map entry, for example: just keep 'peers set' not configured until you establish the vpn tunnel, and then add the command "set by the peers.

  If you disable the tunnel, just remove the 'set by the peers' command for this particular VPN tunnel.

• RDP ActiveX clientless SSL VPN on Windows 8.1

  Hi all

  I have A 5510 Sec with a clientless SSL VPN configured. We have a few pre-configured bookmarks and prevented users to open its own URL. We have RDP plugin installed rdp_09.11.2012.jar.

  When a user runs Winodws 8.1 clicks one bookmarks, they receive a message from IE that Java is not installed. In all other scenarios I tested (WinXP + IE8, IE10, IE11 + Win 7 + Windows 7), by clicking on the bookmark starts the ActiveX plugin.

  How to do this work on Win 8.1 + IE11? It feels like a setting of the client.

  Thank you.

  Hello.

  First of all, IE11 is not officially supported by the asa again.

  REF. http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

  But if you put the 'portal' in a compatibility mode you should be able to use the ActiveX again.

  In Internet Explorer click Tools and search for Compatibility Mode settings.

  In addition, you must use the 'Office' of IE version and not the subway.

  Best regards, Søren.

• View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3

  Hello

  The problem:

  Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view.  I wonder what kind of configuration changes must be considered to enable such a connection.  The error returned when searching for the host name goes in the direction of the hostname not found.  Error finding of intellectual property is related to the time-out.

  Background information and specifications:

  We are in the process of upgrading our servers from 5.2 to 6.2 connection.  As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0.  To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp.  We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology.  The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.

  Preferred connection scenario:

  User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office

  .exe running on the client to view ThinApp:

  It seems the ThinApp Client version view is only launching VMware - view.exe.

  .exe running from the customer view full/thickness:

  VMware - view.exe

  -ftnlsv.exe

  -vmwsprrdpwks.exe

  -ftscanmgr.exe

  There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel?  We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.

  We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel.  A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client.  Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade.  Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.

• Unexpected behavior of class constructor

  Hello world

  I came across an unexpected behavior with definitions of AS3 classes this morning. To tell him quickly, I can't create an instance of a class inside the same methods of the class. Too bad.

  Here is an example:

  package {}

  import flash.display.MovieClip;

  import flash.events.Event;

  SerializableAttribute public class Test extends MovieClip {}

  private var _double:Boolean;

  _T:test private var;

  public void Test(double:Boolean_=_true):void { }

  This ._double = double;

  trace ("new test (" + the ._double + ")" ");

  this.addEventListener (Event.ADDED_TO_STAGE, this ._onAddedToStage);

            }

  private void _onAddedToStage(pEvt:Event) { }

      

  this.removeEventListener (Event.ADDED_TO_STAGE, this ._onAddedToStage);

  trace ("creating a double?");

  If (this ._double) { }

                      trace ("yes");

  this ._t = new Test (false);

  } else {}

                      trace("no");

                 }

            }

       }

  }

  What I'm trying to do seems a bit strange: when an instance is created, it generates a new one in him passing a parameter to stop treated duplication, so I shouldn't have infinite loop like that. Moinde I had a beautiful #2136 error when running (data not valid in the file SWF?):

  New Test (true)

  creating a double?

  Yes

  : Error #2136: blah blah blah

  Can someone explain to me what is happening here? I would like to understand the sub-process that prevents from doing.

  Thanks for the reply,

  Fran_cois

  Hello

  I changed your code in Test.as:

  package
  {
  import flash.display.MovieClip;
  import flash.events.Event;
  SerializableAttribute public class Test extends MovieClip
  {
  private var _double:Boolean;
  private var _t:Test;

  public void Test(double:Boolean_=_true):void
  {
  This ._double = double;
  trace ("new test (" + the ._double + ")" ");
  this.addEventListener (Event.ADDED_TO_STAGE, this ._onAddedToStage);

  }
  private void _onAddedToStage(pEvt:Event)
  {
  this.removeEventListener (Event.ADDED_TO_STAGE, this ._onAddedToStage);

  trace ("create a double?");

  If (this ._double)
  {
  trace ("Yes");
  This ._t = new Test (false);
  addChild (this._t);                      It's the new line!

  }
  on the other
  {
  trace ("no");
  }
  }
  }
  }

  and then used this class not as a document, as a class in the fla file:

  var ttt:Test = new Test();
  addChild (ttt);

  So, it does not work as expected...

• How to install the VPN Client and the tunnel from site to site on Cisco 831

  How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator?  I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward.  I could only put on the side of the hub.  If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.

  Thank you.

  The dynamic map is called clientmap
  The static map is called mymap

  You should have:

  no card crypto not outmap 10-isakmp ipsec dynamic dynmap
  map mymap 10-isakmp ipsec crypto dynamic clientmap

  interface Ethernet1
  crypto mymap map

  Federico.

• Cisco ASA 5510 VPN user Auth

  Hi all.

  I search the internet to find a way or all first, whether it is possible to do what I want to do, but I can't find anything corresponding to what I'm looking for. Possible that I don't have the right keyword.

  We change our old Pix 515e this weekend and for any new ASA 5510.

  With this new facility, I want to implement Radius Authentication for the user remote vpn. Change the firewall of the company is an important factor and for the first phase, the user will keep authenticate locally but I need that in phase 2, they will be authenticated through a radius server.

  Is there a way to configure both user authentication remote vpn?

  For example.

  All users will be authenticated locally unless the service member COMPUTER that is authenticated by the radius to the testing server.

  I have remote vpn users anywhere in the world if I don't want these users are blocked by the radius authentication test. What I want is that users in Group1 will be authenticated locally on the SAA and users in group2 will be authenticated by the RADIUS. During the test will be done, all users will gradually transfer for radius authentication.

  Is it possible

  Thank you

  Jonathan

  Network administrator

  Hi Jonathan,.

  The best way to go about this would be that you set up another group strategy & corresponding tunnel group named Test and set up Radius Authentication for VPN group using the link below: -.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

  Ones you have done test and feel confident, you can change the type of authentication for the Production Group. The reverse could be implemented double authentication as RADIUS and if it does not use local but personally I'll put up a group of test and then those I am confident, that I'll change the strategy of Production Group to use the Radius Server to auth.

  Manish

• New to SSL VPN, can I tunnel specific networks without specifying the list of applications with Smart tunnels?

  Hello

  I'm all new to SSL VPN, and I am a bit lost... I tried to get SSL VPN to go for our company and we have been asked to deploy a completely clientless solution that will provide access to our network based on subnets. Is this possible with the chip-tunnels? I tried a few different configurations and it doesn't seem to work. It works with ANYCONNECT but we have to go without a client. They feel that we can do without customer access to destination networks. Is this possible?

  Thank you in advance...

  That's what you can do with a solution without a client:

  1. Allow access to web resources (using the url list)
  2. Allow access to the application of TCP based (using java-port forwarding or smart tunnels)

  If you have to give access to all subnets, then you will need to go full tunnel effect which is Anyconnect SSL.

  HTH