Re: Cisco AnyConnect on iPad with configuration on Cisco ASA5516

timothylau · ‎03-07-2023

Hello everyone,

I am having a request from the user who need to use the iPad accessing to a specific subnet (say 10.10.142.x) so that the software can be run. I believed that it could be kind of unicast / multicast as because other than that network, the software cannot be registered into that application controller. e.g. I am in the network of 10.10.184.x subnet, the software even I installed it cannot be seen by the controller so I can't make the application work.

Now, I am thinking of using the existing tools - Cisco Anyconnect on my iPad so that I can VPN and specify to that specific subnet (10.10.142.x).

Currently all users in the company are using Windows OS. It means that we can use the Cisco Anyconnect, with certificate issued and installed to the laptops, with RADIUS to our AD domain.

I wonder if this is something doable. Is there any license concerns if I need to use the Cisco Secure Client on iOS?

Or any other method that I can make my life easier. If possible, any documents that can advise me on how to setup the configurations on the ASA?

Spoiler

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 300 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
VPN Load Balancing : Enabled perpetual

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 300 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
VPN Load Balancing : Enabled perpetual

Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active perpetualEncryption-DES : Enabled perpetualEncryption-3DES-AES : Enabled perpetualSecurity Contexts : 2 perpetualCarrier : Disabled perpetualAnyConnect Premium Peers : 300 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 300 perpetualTotal VPN Peers : 300 perpetualAnyConnect for Mobile : Enabled perpetualAnyConnect for Cisco VPN Phone : Enabled perpetualAdvanced Endpoint Assessment : Enabled perpetualShared License : Disabled perpetualTotal TLS Proxy Sessions : 1000 perpetualBotnet Traffic Filter : Disabled perpetualCluster : Enabled perpetualCluster Members : 2 perpetualVPN Load Balancing : Enabled perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active perpetualEncryption-DES : Enabled perpetualEncryption-3DES-AES : Enabled perpetualSecurity Contexts : 4 perpetualCarrier : Disabled perpetualAnyConnect Premium Peers : 300 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 300 perpetualTotal VPN Peers : 300 perpetualAnyConnect for Mobile : Enabled perpetualAnyConnect for Cisco VPN Phone : Enabled perpetualAdvanced Endpoint Assessment : Enabled perpetualShared License : Disabled perpetualTotal TLS Proxy Sessions : 1000 perpetualBotnet Traffic Filter : Disabled perpetualCluster : Enabled perpetualVPN Load Balancing : Enabled perpetual

Cheers,

Timothy

Marvin Rhoads · ‎03-08-2023

Licensing is not problem given the status you shared - you have "AnyConnect for Mobile". That's the old name that indicates your AnyConnect license includes support for mobile devices (tablets and smart phones).

The problem is that the device's IP address while on VPN will need to be assigned to a VPN pool that exists on the ASA. That pool will not be the internal subnet 10.10.142.x unless that subnet is serviced directly by the ASA as the gateway.

timothylau · ‎03-08-2023

Thank you.

For the subnet in ASA, I think I have defined it in the network object group. So can I say this is being serviced?

object-group network PROD_LAN
network-object 10.10.5.0 255.255.255.0
network-object 10.10.142.0 255.255.255.0

I have tested with one testing user account, and with a certificate on Windows OS. But at the time I send it over to iPad / iPhone, it has some issues on adding the certificate into Cisco AnyConnect.

The cert is in .p12 format with the password on hand. I tried to use "Share" into the VPN Client, it keeps saying my password was incorrect. Then I tried to put a certificate onto a shared drive, with the URL, then import the certificate by copying the URL, it says "Unable to import certificate due to incorrect password..." I can confirm that the password on hand works fine as I can decrypt it in Windows OS.

Cheers,

Timothy

Marvin Rhoads · ‎03-09-2023

Unless an ASA interface is the default gateway for that subnet, you cannot assign your iPad (or any other VPN device) an address from that subnet.