Re: Cisco VPN IPSec for Apple Iphone

kmurphy · ‎12-04-2008

We have some users that want to connect to our network using the Iphone. They belong to Tech and are trusted. I can get it so the Iphone connects to the ASA an authenticates against our server but once on it can't browse anywhere. It gets an IP on the 192.168.10.x network which is our main network. In the config I have a tunnel group setup marked xx.xx.xx that is a Site-To-Site tunnel that works. The TermServer/WebVPN is something that was setup by an outside vendor and the DefaultRAGroup somebody was fiddling around with. The tunnel group I setup is called iphone.

kmurphy · ‎12-04-2008

Sorry here is my config

acomiskey · ‎12-05-2008

1. The vpn client pool should always be a separate subnet from inside.

ip local pool iphonepool 172.16.x.1-172.16.x.254 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.x.0 255.255.255.0

tunnel-group iphone general-attributes

authentication-server-group RadiusServer

default-group-policy iphone

address-pool iphonepool

2. Add "crypto isakmp nat-traversal".

kmurphy · ‎12-08-2008

Thanks for the response. I can now with your configuration changes get onto our network and can get around our network fine using IP's or hostnames so I know DNS works. But the second I try to access the internet it can't get outside. Do I need to put a route somewhere on my network? Normally anybody that plugs into our network can get onto the internet fine. I don't think I need to do split tunnels or anything.

acomiskey · ‎12-08-2008

So if I understand correctly, you want to access the internet with the iphone while you are connected to the vpn? You can either split tunnel or setup something like this...

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 172.16.x.0 255.255.255.0

Please rate helpful posts.

kmurphy · ‎12-13-2008

I just did split tunneling and it works very well. Thanks.