Cisco VPN IPSec for Apple Iphone

Unanswered Question

We have some users that want to connect to our network using the Iphone. They belong to Tech and are trusted. I can get it so the Iphone connects to the ASA an authenticates against our server but once on it can't browse anywhere. It gets an IP on the 192.168.10.x network which is our main network. In the config I have a tunnel group setup marked xx.xx.xx that is a Site-To-Site tunnel that works. The TermServer/WebVPN is something that was setup by an outside vendor and the DefaultRAGroup somebody was fiddling around with. The tunnel group I setup is called iphone.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 12/05/2008 - 10:10
User Badges:
  • Green, 3000 points or more

1. The vpn client pool should always be a separate subnet from inside.

ip local pool iphonepool 172.16.x.1-172.16.x.254 mask

access-list inside_nat0_outbound extended permit ip 172.16.x.0

tunnel-group iphone general-attributes

authentication-server-group RadiusServer

default-group-policy iphone

address-pool iphonepool

2. Add "crypto isakmp nat-traversal".

Thanks for the response. I can now with your configuration changes get onto our network and can get around our network fine using IP's or hostnames so I know DNS works. But the second I try to access the internet it can't get outside. Do I need to put a route somewhere on my network? Normally anybody that plugs into our network can get onto the internet fine. I don't think I need to do split tunnels or anything.

acomiskey Mon, 12/08/2008 - 08:20
User Badges:
  • Green, 3000 points or more

So if I understand correctly, you want to access the internet with the iphone while you are connected to the vpn? You can either split tunnel or setup something like this...

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 172.16.x.0

Please rate helpful posts.


This Discussion