Monday, April 28, 2014

How to configure ASA SSL VPN + IPhone

Hi Guys

I had chance to configure a feature I have always wanted to try out but never got chance, Cisco IP Phone VPN, this allows you to configure a phone to VPN over SSLVPN back to it's home CUCM if you take it out to a foreign network. Designed so you can take a phone out to a exec's site or something (now of course, they will need PoE)

Few things to note:

- Only certain model phones are supported so keep that in mind, Full list is in the URL i will give below

- You have to enable it BEFORE you put the phone out, basically the way it works is when the phone registers to the CUCM it has to download a config file that tells it where to find the VPN settings, the user doesn't just enter them himself

- I was lazy and did it using a username and password which the user had to enter into the phone but this sucks because 1. user has to enter a alphanumeric username/pass into a phone pad 2. These users are pulled from your SSLVPN users and NOT your CUCM users so you best be sinking from an LDAP source and 3. it's one more step to worry about, so don't do in production what I am doing here in a lab enviroment: use certificates to authenticate. If there is enough demand I will do a blog on how to auth via cert

- Works on both ASA and SSLVPN on a router as far as I can tell.

OK so first of all, here is the great tutorial from Cisco, but they are doing on an ASA, we will be doing on a ISR

So the first thing is of course, a working SSL VPN config, mine looks something like this:

 crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
webvpn gateway SSLVPN
 ip interface Dialer1 port 443
 ssl trustpoint TP-self-signed-4216080960
webvpn context SSL_Gateway
 ssl authenticate verify all
 no inservice

webvpn context SSL_gateway
 gateway SSLVPN
 ssl authenticate verify all
 policy group default
   functions svc-enabled
   svc address-pool "VPN" netmask
   svc keep-client-installed
   svc split include
   svc split include
 default-group-policy default

This is not a tutorial on setting up SSLVPN, there are plenty of tutorials out there on the web for that and just because we are using phones now this piece does not really change. In fact before you even begin to configure the SSLVPN on the actual phone I recommend you test the SSLVPN as a normal user in windows and check:

1. The user/pass you intend to use for the phone is able to login
2. the SSL VPN actually works
3. You can ping the CUCM server once your on the VPN

Once your sure of all that, and you have tested thoroughly to ensure the SSLVPN is working fine, it's time to configure the phone.

Now the key to all of this, is that you MUST provision the phone BEFORE you hand it to the user: if you give the user the phone BEFORE you configure all of these settings on their phone it will be too late, they have to register to the corporate network to download this config at least once before you can take it to a remote location and have it register.

The second thing is that you MUST install your SSLVPN certificate into the trust store on CUCM which we will cover.

Login to your CUCM then navigate to the OS administration page. Then navigate to Security -> Certificate Management. Click on upload certificate and select "phone-VPN-Trust" from the dropdown as shown below and upload your certificate from your SSLVPN. Easiest way to get a copy of this is to visit your SSLVPN in your webbrowser of choice and download the certificate that way.

Once this is done, go back to your CUCM administration page, go to advanced features -> VPN -> VPN gateway. Here we can add a gateway and if we have done everything right the SSL Certificate we uploaded previously should be listed in the dropdown.

For the URL you want to enter whatever URL your users use for their normal SSLVPN configuration.

Next you configure the VPN group under Advanced Settings -> VPN -> VPN Group, this is relatively straightforward, here you could specify multiple SSLVPN Gateways if you where lucky enough to have multiple SSLVPN's.

The next stage is to specify the VPN Profile, this is done under Advanced Settings -> VPN -> VPN Profile

You can see this is also where we specify the authentication method, in my example I am using user/pass since that is the easiest but later we will do one with certificates.

Ok Almost there! Last step is to just associate this VPN profile to a common phone profile,  a common phone profile groups together settings common to a particular set of devices, there is a default one "Standard Common Phone Profile" which you could just edit so that EVERY phone has the VPN configuration inserted and therefore anyone could take the phone home if they wanted. That is what I elected to do, Common phone profile configuration is found under:

Device -> Device Settings -> Common Phone Profile

As you can see I have selected the VPN Profile and VPN Group at the bottom.

Once this is done, reset your phone. We can now do quite a bit to verify if the VPN settings have actually taken effect. Below are some screenshots

On a 79XX series, you can go to Settings, Security Configuration and scroll down to VPN Configuration, you can then obtain a lot of information about if the VPN profile has succesfully associated to the phone.

Once we plugged this phone in to an external network, when the phone first booted I got the username/password prompt. After that was entered, the phone succesfully registered!

I hope this helps someone out there.


  1. if we are connecting using AnyConnect from PC's and Macs - would it be safe to assume that AnyConnect is already configured on our ASA? What if i wanted to opt in other vpn service such as vpn traffic?

  2. Hide My Ass! Pro VPN – The World's Premium VPN Service. * We give you access to the biggest VPN network in the world. hidemyass review

  3. The increasing number of cyber security threats, information hacks, privacy attacks have made the importance of security more evident than ever. This is the reason why large organizations that are involved in online business have realized the importance of cyber security. Now, every organization is working on a security framework meant to safeguard their online presence.

  4. Getting the administrations of a virtual private system or VPN is a fine decision on the off chance that you will appreciate a protected and secure experience on the web. best vpn service provider

  5. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!. vpn reviews

  6. Now you will certainly see the Game Killer Apk 4.10 No Get Info Root icon floating on your screen. Game Killer (APK) Download Click on the application symbol and Game Killer name on the primary user interface, Game Killer App you can pick the application.

  7. Whereas if you are using a free VPN account you can generally use only a small amount of data. why a vpn

  8. We have to be sincere; any individual that plans to seriously jog with their child regularly Website ought to truly be searching for something Leading Dual Jogger Strollers for Doubles stronger.

  9. this is really nice to read..informative post is very good to read..thanks a lot! vpn services

  10. Nice information. Thank you so much for sharing the guide. I really want to configure ssl vpn to my iphone and now i can do that easily. Thanks again for the post!

  11. Wow!! Amazing blog post and much valuable for readers as usage of VPN is increasing rapidly. As With a VPN for Router ,we can protect every device that connects to the internet. Get FastestVPN and open endless possibilities on all your devices.

  12. VPN or even digital private system is normally accustomed to supply staff remote control access to a secure business system. An illustration could be a staff member that must access their applications or perhaps programs, or perhaps data files which are best VPN for torrenting within the firm's machine.

  13. Thank you for some other informative blog. Where else could I get that type of information written in such an ideal means? I have a mission that I’m just now working on, and I have been at the look out for such information. windscribe free

  14. Fantastic blog you have here. You’ll discover me looking at your stuff often. Saved! tor vs vpn

  15. Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. avast vpn torrenting

  16. Do you want to know the importance of Business Analyst Tools? When it comes to workflow management, you need to use all the tools and processes that streamline and optimize the operations of your business. For instance, you need utilize software systems that enable you to get improved productivity. These systems include content management systems, document management systems and business process management (BPM) tools.