Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1344
Views
0
Helpful
2
Replies

ASA5505 AnyConnect/iPad Issue

mrbilljerome
Level 1
Level 1

‎11-14-2011 07:10 AM - edited ‎02-21-2020 05:42 PM

I have an ADA5505 that I am running the latest IOS and I have setup AnyConnect and downloaded the 90-day demo license for Mobility.

I am able to connect on the Windows platform fine and have full access and DNS but if I connect using the iPad I cannot connect to any resources in my network or even ping.  The AnyConnect for Mobility Client seems to connect OK and shows a proper IP address from the VPN pool.

Any ideas as to what may cause this?  Here is the config.  (Note there is a legacy VPN (GorrillVpn) that fill be removed once AnyConnect is working properly).

Thanks,

Bill

names

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 24.97.239.154 255.255.255.248

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.0.0.12

domain-name corp.gorrillpalmer.com

object network obj-10.0.0.0

subnet 10.0.0.0 255.255.255.0

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

object network obj-10.0.0.12

host 10.0.0.12

object network obj-10.0.0.10

host 10.0.0.10

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

access-list allow extended permit tcp any host 10.0.0.12 eq smtp

access-list allow extended permit tcp any host 10.0.0.12 eq pop3

access-list allow extended permit tcp any host 10.0.0.12 eq 3389

access-list allow extended permit tcp any host 10.0.0.12 eq www

access-list allow extended permit tcp any host 10.0.0.12 eq https

access-list allow extended permit tcp any host 24.97.239.156 eq 3389

access-list allow extended permit tcp any host 10.0.0.10 eq 3389

access-list 108 extended permit ip 10.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool test 172.16.1.1-172.16.1.255 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

asdm history enable

arp timeout 14400

nat (inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-172.16.1.0 obj-172.16.1.0 no-proxy-arp

!

object network obj-10.0.0.12

nat (inside,outside) static 24.97.239.155

object network obj-10.0.0.10

nat (inside,outside) static 24.97.239.157

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

access-group allow in interface outside

route outside 0.0.0.0 0.0.0.0 24.97.239.153 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server GorrillPalmer protocol nt

aaa-server GorrillPalmer (outside) host 10.0.0.12

timeout 5

nt-auth-domain-controller gpserver2

user-identity default-domain LOCAL

http server enable

http server idle-timeout 60

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set ikev1 transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp nat-traversal 11

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.0.0.10 255.255.255.255 inside

telnet 10.0.0.12 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

ssh version 1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy 2 internal

group-policy 2 attributes

vpn-idle-timeout 30

group-policy GroupPolicy_AnyConnect internal

group-policy GroupPolicy_AnyConnect attributes

wins-server none

dns-server value 10.0.0.12

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 108

default-domain value corp.gorrillpalmer.com

group-policy gorrillvpn internal

group-policy gorrillvpn attributes

wins-server value 10.0.0.10

dns-server value 10.0.0.10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 108

default-domain value corp.gorrillpalmer.com

username GorrillVPN password 7519RsdR4ewBN7nI encrypted privilege 0

username GorrillVPN attributes

vpn-group-policy DfltGrpPolicy

tunnel-group DefaultRAGroup general-attributes

address-pool (outside) test

tunnel-group gorrillvpn type remote-access

tunnel-group gorrillvpn general-attributes

address-pool test

default-group-policy gorrillvpn

tunnel-group gorrillvpn ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none

tunnel-group 2 type remote-access

tunnel-group 2 general-attributes

default-group-policy 2

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool (inside) test

address-pool test

authentication-server-group (outside) GorrillPalmer

default-group-policy GroupPolicy_AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect ils

  inspect ip-options

class class-default

  user-statistics accounting

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Labels:
0 Helpful
2 Replies 2

werowance
Level 1
Level 1

‎01-11-2012 07:29 AM

i to am having the same issue.  here is what i found to make it work.  but i dont like the work arround.  i found that my company network is 192.168.1.xxx ip scheme and my users ipad and home network is also 192.168.1.xxx.  so anything he tries to connect to at work just wont flow over the vpn tunnel.  once i changed his home network router to 10.0.0.1,  everything worked just fine.  but the fact is most places he will travel to will likely have 192.168.1.xxx access points as that is such a common ip scheme.  so im trying to figure out a way around that.  anybody have any ideas?  other than changing my company's internal ip scheme.

0 Helpful

jeffreymertz
Level 1
Level 1
In response to werowance

‎02-03-2012 01:17 PM

There is no way around this. A business network should never be 192.168.0.x or 192.168.1.x for this very reason.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents