How to configure ASA SSL VPN + IPhone

Hi Guys

I had chance to configure a feature I have always wanted to try out but never got chance, Cisco IP Phone VPN, this allows you to configure a phone to VPN over SSLVPN back to it's home CUCM if you take it out to a foreign network. Designed so you can take a phone out to a exec's site or something (now of course, they will need PoE)

Few things to note:

- Only certain model phones are supported so keep that in mind, Full list is in the URL i will give below

- You have to enable it BEFORE you put the phone out, basically the way it works is when the phone registers to the CUCM it has to download a config file that tells it where to find the VPN settings, the user doesn't just enter them himself

- I was lazy and did it using a username and password which the user had to enter into the phone but this sucks because 1. user has to enter a alphanumeric username/pass into a phone pad 2. These users are pulled from your SSLVPN users and NOT your CUCM users so you best be sinking from an LDAP source and 3. it's one more step to worry about, so don't do in production what I am doing here in a lab enviroment: use certificates to authenticate. If there is enough demand I will do a blog on how to auth via cert

- Works on both ASA and SSLVPN on a router as far as I can tell.


OK so first of all, here is the great tutorial from Cisco, but they are doing on an ASA, we will be doing on a ISR

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

So the first thing is of course, a working SSL VPN config, mine looks something like this:

 crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
webvpn gateway SSLVPN
 ip interface Dialer1 port 443
 ssl trustpoint TP-self-signed-4216080960
 inservice
 !
webvpn context SSL_Gateway
 !
 ssl authenticate verify all
 no inservice

webvpn context SSL_gateway
 gateway SSLVPN
 !
 ssl authenticate verify all
 inservice
 !
 policy group default
   functions svc-enabled
   svc address-pool "VPN" netmask 255.255.255.0
   svc keep-client-installed
   svc split include 172.21.1.0 255.255.255.0
   svc split include 10.0.0.0 255.255.255.0
 default-group-policy default


This is not a tutorial on setting up SSLVPN, there are plenty of tutorials out there on the web for that and just because we are using phones now this piece does not really change. In fact before you even begin to configure the SSLVPN on the actual phone I recommend you test the SSLVPN as a normal user in windows and check:

1. The user/pass you intend to use for the phone is able to login
2. the SSL VPN actually works
3. You can ping the CUCM server once your on the VPN

Once your sure of all that, and you have tested thoroughly to ensure the SSLVPN is working fine, it's time to configure the phone.

Now the key to all of this, is that you MUST provision the phone BEFORE you hand it to the user: if you give the user the phone BEFORE you configure all of these settings on their phone it will be too late, they have to register to the corporate network to download this config at least once before you can take it to a remote location and have it register.

The second thing is that you MUST install your SSLVPN certificate into the trust store on CUCM which we will cover.


Login to your CUCM then navigate to the OS administration page. Then navigate to Security -> Certificate Management. Click on upload certificate and select "phone-VPN-Trust" from the dropdown as shown below and upload your certificate from your SSLVPN. Easiest way to get a copy of this is to visit your SSLVPN in your webbrowser of choice and download the certificate that way.



Once this is done, go back to your CUCM administration page, go to advanced features -> VPN -> VPN gateway. Here we can add a gateway and if we have done everything right the SSL Certificate we uploaded previously should be listed in the dropdown.




For the URL you want to enter whatever URL your users use for their normal SSLVPN configuration.

Next you configure the VPN group under Advanced Settings -> VPN -> VPN Group, this is relatively straightforward, here you could specify multiple SSLVPN Gateways if you where lucky enough to have multiple SSLVPN's.



The next stage is to specify the VPN Profile, this is done under Advanced Settings -> VPN -> VPN Profile


You can see this is also where we specify the authentication method, in my example I am using user/pass since that is the easiest but later we will do one with certificates.

Ok Almost there! Last step is to just associate this VPN profile to a common phone profile,  a common phone profile groups together settings common to a particular set of devices, there is a default one "Standard Common Phone Profile" which you could just edit so that EVERY phone has the VPN configuration inserted and therefore anyone could take the phone home if they wanted. That is what I elected to do, Common phone profile configuration is found under:

Device -> Device Settings -> Common Phone Profile


As you can see I have selected the VPN Profile and VPN Group at the bottom.

Once this is done, reset your phone. We can now do quite a bit to verify if the VPN settings have actually taken effect. Below are some screenshots

On a 79XX series, you can go to Settings, Security Configuration and scroll down to VPN Configuration, you can then obtain a lot of information about if the VPN profile has succesfully associated to the phone.








Once we plugged this phone in to an external network, when the phone first booted I got the username/password prompt. After that was entered, the phone succesfully registered!


I hope this helps someone out there.



-

18 comments:

  1. Willie AamesJanuary 15, 2015 at 4:43 AM

    if we are connecting using AnyConnect from PC's and Macs - would it be safe to assume that AnyConnect is already configured on our ASA? What if i wanted to opt in other vpn service such as vpn traffic?
    http://www.bestvpnservice.com/vpntraffic/

    ReplyDelete
  2. UnknownApril 15, 2015 at 10:35 PM

    Always must need this service.
    vpn tutorial

    ReplyDelete
  3. Elizabeth J. NealMay 7, 2015 at 12:33 AM

    Hide My Ass! Pro VPN – The World's Premium VPN Service. * We give you access to the biggest VPN network in the world. hidemyass review

    ReplyDelete
  4. AnonymousNovember 30, 2015 at 7:53 AM

    The increasing number of cyber security threats, information hacks, privacy attacks have made the importance of security more evident than ever. This is the reason why large organizations that are involved in online business have realized the importance of cyber security. Now, every organization is working on a security framework meant to safeguard their online presence.
    https://www.ivacy.com/blog/what-is-ssl-vpn-and-why-use-ssl-vpn/

    ReplyDelete
  5. Jack sonNovember 9, 2016 at 4:36 AM

    Getting the administrations of a virtual private system or VPN is a fine decision on the off chance that you will appreciate a protected and secure experience on the web. best vpn service provider

    ReplyDelete
  6. Roman lesnarJanuary 13, 2017 at 10:11 AM

    This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!. vpn reviews

    ReplyDelete
  7. hrkudryavtseva1986June 17, 2017 at 8:06 AM

    Now you will certainly see mixcloud.com/ the Game Killer Apk 4.10 No Get Info Root icon floating on your screen. Game Killer (APK) Download Click on the application symbol and Game Killer name on the primary user interface, Game Killer App you can pick the application.

    ReplyDelete
  8. julieazevedoJuly 14, 2017 at 12:19 AM

    We have to be sincere; any individual that plans xtgem.com to seriously jog with their child regularly Website ought to truly be searching for something Leading Dual Jogger Strollers for Doubles stronger.

    ReplyDelete
  9. SEO KILLERApril 12, 2018 at 1:13 PM

    this is really nice to read..informative post is very good to read..thanks a lot! vpn services

    ReplyDelete
  10. JaimenMay 19, 2018 at 5:54 PM

    Nice information. Thank you so much for sharing the guide. I really want to configure ssl vpn to my iphone and now i can do that easily. Thanks again for the post!
    https://novavpn.com/blog/popcorn-time/

    ReplyDelete
  11. MikeBrianFebruary 18, 2019 at 4:43 AM

    Wow!! Amazing blog post and much valuable for readers as usage of VPN is increasing rapidly. As With a VPN for Router ,we can protect every device that connects to the internet. Get FastestVPN and open endless possibilities on all your devices.

    ReplyDelete
  12. Edward foxMarch 7, 2019 at 5:28 AM

    VPN or even digital private system is normally accustomed to supply staff remote control access to a secure business system. An illustration could be a staff member that must access their applications or perhaps programs, or perhaps data files which are best VPN for torrenting within the firm's machine.

    ReplyDelete
  13. UnknownJune 21, 2019 at 1:59 PM

    Thank you for some other informative blog. Where else could I get that type of information written in such an ideal means? I have a mission that I’m just now working on, and I have been at the look out for such information. windscribe free

    ReplyDelete
  14. SEO ExpertJune 26, 2019 at 2:21 PM

    Fantastic blog you have here. You’ll discover me looking at your stuff often. Saved! tor vs vpn

    ReplyDelete
  15. BensonSeptember 1, 2019 at 9:54 PM

    calvin klein
    michael kors outlet online
    ferragamo belt
    lebron james shoes
    supreme
    yeezy shoes
    yeezy
    jordan shoes
    jordan shoes
    air max 2019

    ReplyDelete
  16. Rodney TapleySeptember 14, 2019 at 2:54 PM

    Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. avast vpn torrenting

    ReplyDelete
  17. Edward foxSeptember 19, 2019 at 2:46 AM

    Do you want to know the importance of Business Analyst Tools? When it comes to workflow management, you need to use all the tools and processes that streamline and optimize the operations of your business. For instance, you need https://adobe.cheapsoftwaredownload.net/adobe-after-effects.html utilize software systems that enable you to get improved productivity. These systems include content management systems, document management systems and business process management (BPM) tools.

    ReplyDelete
  18. Justin WadeJanuary 15, 2020 at 1:38 AM

    The world is full of businesses but do you know how important they are? You know there are very big ones like Apple, BP and Amazon and very small ones like your local shop or window-cleaner. Grandad explains how all these businesses contribute to our daily life as importantly as the air we breathe and the food we eat. Without businesses he believes we would still be living in caves or mud huts, we would spend all our time searching for food and water. There would be no schools, no doctors, no police, no government,no cars, no television, nearly nothing, This is one of a series of articles aimed by Grandad at grandchildren everywhere. Grandad has learned many things over his lifetime in business. These articles can give you a flying start in life. 3d coat painting

    ReplyDelete

Subscribe to: Post Comments (Atom)

Popular old posts.