cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
858
Views
0
Helpful
1
Replies
Highlighted
Beginner

iPad native IPSEC client

Hello, everyone!

I am having a problem getting an iPad to pass traffic to more than one subnet through our ASA 5510.  The local identity is restricted to the 192.168.10.0/24 subnet, and I need it to be 0.0.0.0 0.0.0.0 like it is on all the other clients.  As a workaround, I am using the AnyConnect client, but we have a limited amount of licenses.  Below is my configuration:

!

hostname Firewall

domain-name domain.domain

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 123.123.123.123 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

<--- More --->

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif FALLBACK

security-level 10

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa822-16-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

<--- More --->

domain-name domain.domain

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DNS tcp-udp

port-object eq domain

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list acl-out extended permit a bunch of IP's and ports

access-list nonat extended permit ip any 172.16.6.0 255.255.255.0

access-list splittunnel standard permit 192.168.10.0 255.255.255.0

access-list splittunnel standard permit 192.168.10 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging list VPN message 113005

logging list VPN message 713049

logging list VPN message 716001

logging list VPN message 716002

logging buffer-size 32768

logging buffered VPN

logging trap VPN

logging asdm warnings

logging host inside 192.168.10.8

<--- More --->

logging permit-hostdown

flow-export destination inside 192.168.10.8 2055

flow-export template timeout-rate 1

mtu outside 1500

mtu inside 1500

mtu FALLBACK 1500

ip local pool VPNPOOL 172.16.6.10-172.16.6.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-634-53.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 123.123.123.124 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

<--- More --->

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map CISCOMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPN Users,OU=Groups,OU=VPN,DC=domain,DC=domain" VPNACCESS

ldap attribute-map SSLVPNMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPN Users,OU=Groups,OU=VPN,DC=domain,DC=domain" SSLVPN

ldap attribute-map tunneling_protocols

  map-name  msNPAllowDialin Tunneling-Protocols

  map-value msNPAllowDialin "FALSE" 16

  map-value msNPAllowDialin "TRUE" 36

dynamic-access-policy-record DfltAccessPolicy

aaa-server PDC protocol ldap

aaa-server PDC (inside) host PDC

server-port 636

ldap-base-dn DC=domain,DC=domain

ldap-scope subtree

ldap-naming-attribute samAccountName

ldap-login-password *****

ldap-login-dn CN=login,OU=Users,OU=Group,OU=Users,OU=VPN,DC=domain,DC=domain

ldap-over-ssl enable

server-type microsoft

<--- More --->

ldap-attribute-map CISCOMAP

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.10.18

key *****

aaa-server SSLPDC protocol ldap

aaa-server SSLPDC (inside) host PDC

server-port 636

ldap-base-dn DC=domain,DC=domain

ldap-scope subtree

ldap-naming-attribute samAccountName

ldap-login-password *****

ldap-login-dn CN=login,OU=Users,OU=Group,OU=Users,OU=VPN,DC=domain,DC=domain

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map SSLVPNMAP

aaa authentication enable console RADIUS LOCAL

aaa authentication ssh console RADIUS LOCAL

aaa authentication http console RADIUS LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

snmp-server host inside 192.168.10.8 community ***** version 2c

no snmp-server location

<--- More --->

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set remote esp-aes-256 esp-sha-hmac

crypto ipsec transform-set Intellys esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RemoteVPN 65535 set pfs

crypto dynamic-map RemoteVPN 65535 set transform-set remote

crypto map Remote 65535 ipsec-isakmp dynamic RemoteVPN

<--- More --->

crypto map Remote interface outside

crypto ca trustpoint localtrust

enrollment self

fqdn host.domain.com

subject-name CN=host.domain.com

crl configure

crypto ca certificate chain localtrust

certificate c9ff1e4b

    308201f3 3082015c a0030201 020204c9 ff1e4b30 0d06092a 864886f7 0d010104

    0500303e 311a3018 06035504 03131176 706e2e6d 756c7469 76696577 2e636f6d

    3120301e 06092a86 4886f70d 01090216 1176706e 2e6d756c 74697669 65772e63

    6f6d301e 170d3039 31323039 30313339 32315a17 0d313931 32303730 31333932

    315a303e 311a3018 06035504 03131176 706e2e6d 756c7469 76696577 2e636f6d

    3120301e 06092a86 4886f70d 01090216 1176706e 2e6d756c 74697669 65772e63

    6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100bd

    8dcc45c2 a12391f5 4e2b24ba 30ed3020 af854c59 3ba8ed64 efbc6e07 5d294a03

    7457ecad bfa92962 03bb821f 44e53f63 5471b19e ee6beef2 5579c4c7 53bbeaa8

    a706ffdf 21792a11 ff27cf89 1e59e661 9f2ce729 76d7ca48 7f73d6bf f74007ef

    92a36621 4e9523bb 43e52dc9 5afbf2f1 271854be 4c71779e 85bdbcc7 de07c102

    03010001 300d0609 2a864886 f70d0101 04050003 818100b3 39fd4059 9c18ef2d

    c13d6346 e807897b 9f1964e0 0a78f7ff 24715ef7 d3696231 8efdc7fa 244842ca

    bdeda83e 67ba2979 92a58945 c60fb411 9376e94e eaa553a4 e24add67 de33410e

    9125ddc5 f7689731 9490bf22 bf035598 73f67b94 469f1ef1 c575236f 4d15d60f

<--- More --->

    4174de27 e0366d65 75a5b746 ce0f2fd1 9848b720 6c0559

  quit

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 3

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

<--- More --->

ssh timeout 5

console timeout 0

dhcpd dns 4.2.2.2

dhcpd ping_timeout 750

dhcpd domain domain.domain

!

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.0.1 source inside prefer

ssl trust-point localtrust outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

banner value Welcome to the Network

dns-server value 192.168.10.29

vpn-simultaneous-logins 750

<--- More --->

vpn-tunnel-protocol svc

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value domain.domain

address-pools value VPNPOOL

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec

group-policy VPNACCESS internal

group-policy VPNACCESS attributes

banner value Welcome to the Network

dns-server value 192.168.10.29

vpn-simultaneous-logins 750

vpn-tunnel-protocol IPSec

re-xauth enable

pfs enable

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value domain.domain

secure-unit-authentication enable

user-authentication enable

<--- More --->

nem enable

address-pools value VPNPOOL

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

dns-server value 192.168.10.29

vpn-tunnel-protocol IPSec

ip-comp enable

re-xauth enable

pfs enable

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value domain.domain

secure-unit-authentication enable

user-authentication enable

nem enable

address-pools value VPNPOOL

username admin password blahdeedeeblahblahblah

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool VPNPOOL

authentication-server-group PDC

default-group-policy NOACCESS

<--- More --->

password-management

tunnel-group RemoteVPN ipsec-attributes

pre-shared-key *****

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool VPNPOOL

authentication-server-group SSLPDC

default-group-policy NOACCESS

password-management

tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN enable

<--- More --->

class-map global_policy

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-any block-url-class

class-map NetFlow-traffic

match access-list netflow-hosts

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect http block-url-policy

parameters

class block-url-class

  drop-connection log

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

<--- More --->

  inspect tftp

  inspect xdmcp

  inspect pptp

  inspect ftp

  inspect ip-options

  inspect dns preset_dns_map

class NetFlow-traffic

  flow-export event-type all destination 192.168.10.8

!

service-policy global_policy global

prompt hostname context

call-home

Cryptochecksum:f8ffec8272c98e8b310126ec4071388c

: end

Thanks!                   

1 REPLY 1
Highlighted

iPad native IPSEC client

Hello,

What tunnel-group are you using to connect ( using the remote-ipsec client)

After answering that question share the following

show run tunnel-group xx ( The one you use to answer)

show run group-policy xxxx ( the default one used by your tunnel group)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC