03-07-2023 01:18 PM
Hello everyone,
I am having a request from the user who need to use the iPad accessing to a specific subnet (say 10.10.142.x) so that the software can be run. I believed that it could be kind of unicast / multicast as because other than that network, the software cannot be registered into that application controller. e.g. I am in the network of 10.10.184.x subnet, the software even I installed it cannot be seen by the controller so I can't make the application work.
Now, I am thinking of using the existing tools - Cisco Anyconnect on my iPad so that I can VPN and specify to that specific subnet (10.10.142.x).
Currently all users in the company are using Windows OS. It means that we can use the Cisco Anyconnect, with certificate issued and installed to the laptops, with RADIUS to our AD domain.
I wonder if this is something doable. Is there any license concerns if I need to use the Cisco Secure Client on iOS?
Or any other method that I can make my life easier. If possible, any documents that can advise me on how to setup the configurations on the ASA?
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 300 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
VPN Load Balancing : Enabled perpetual
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 300 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
VPN Load Balancing : Enabled perpetual
Cheers,
Timothy
03-08-2023 04:24 AM
Licensing is not problem given the status you shared - you have "AnyConnect for Mobile". That's the old name that indicates your AnyConnect license includes support for mobile devices (tablets and smart phones).
The problem is that the device's IP address while on VPN will need to be assigned to a VPN pool that exists on the ASA. That pool will not be the internal subnet 10.10.142.x unless that subnet is serviced directly by the ASA as the gateway.
03-08-2023 12:52 PM
Thank you.
For the subnet in ASA, I think I have defined it in the network object group. So can I say this is being serviced?
object-group network PROD_LAN
network-object 10.10.5.0 255.255.255.0
network-object 10.10.142.0 255.255.255.0
I have tested with one testing user account, and with a certificate on Windows OS. But at the time I send it over to iPad / iPhone, it has some issues on adding the certificate into Cisco AnyConnect.
The cert is in .p12 format with the password on hand. I tried to use "Share" into the VPN Client, it keeps saying my password was incorrect. Then I tried to put a certificate onto a shared drive, with the URL, then import the certificate by copying the URL, it says "Unable to import certificate due to incorrect password..." I can confirm that the password on hand works fine as I can decrypt it in Windows OS.
Cheers,
Timothy
03-09-2023 12:38 AM
Unless an ASA interface is the default gateway for that subnet, you cannot assign your iPad (or any other VPN device) an address from that subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide