Life, Technology, and Meteorology

Month: February 2009

Setting up a Mac/iPhone VPN to a Cisco ASA Router

I bought a Cisco ASA 5505 about 6 months ago, and love it so far. While setting up a VPN between my iPod touch and the ASA was straightforward, I was less fortunate when trying to get the same thing working from my MacBook Pro. Here’s a description of how to configure the ASA VPN so both devices work.

First, let me give a brief outline of what I am trying to do. I want both my iPod touch and my MacBook Pro to be able to connect to the Cisco ASA box over a VPN interface. Once the VPN has been established, I want all of my internet traffic to go first to the ASA and then out to the rest of the internet from there (otherwise known as split-tunneling in network jargon). With a default VPN setup on the ASA, this works fine from the iPhone, but from the Mac I was only able to access the internal network. The rest of my internet traffic just wouldn’t get sent. Note that this configuration will not work with Mac OS X’s L2TP VPN client, you’ll need to install the Cisco VPN client instead.

The solution isn’t too difficult. First, setup a fairly default VPN configuration on the ASA. Use the VPN Wizard on the ASDM console with the following settings…

Page 1 VPN Tunnel Type: Remote Access VPN Tunnel Interface: outside Check the box to enable inbound IPsec sessions to bypass interface access lists.

Page 2 Select Cisco VPN Client for the client type.

Page 3 Select Pre-shared key for authentication method, typing a password into the Pre-Shared Key field. Type in a Tunnel Group Name to use, which will be used again later. I’ll use VPNGroup as an example.

Page 4 Authenticate using the local user database.

Page 5 Make sure your ASDM username is in the list on the right side, so you are able to connect to the VPN with that account.

Page 6 If you haren’t already, create a IP address pool to use for VPN connections. This is an IP range within your internal network. I use with a subnet mask of

Page 7 Type in your primary and secondary DNS servers into the box. I also set my default domain name to my domain (

Page 8 Leave everything default: Encryption is 3DES, Authentication is SHA, and DH Group is 2.

Page 9 Again, leave everything default. Encryption is 3DES and Authentication is SHA.

Page 10 Leave everything as-is, except check the box at the bottom to enable split tunneling.

Page 11 Click Finish and you are done.

Now, your iPhone should be working just fine. Just go into the VPN preferences and setup a new IPSec configuration with your server, user account/password, and group name/pre-shared secret. Unfortunately, the Mac will not be able to access the entire internet when connected to the VPN. To fix this issue, some additional configuration needs to take place in a terminal connection to the ASA box. If you haven’t already, enable SSH access to the ASA box and login. Then run the following commands: (comments in red)

cisco-gw> enable
Password: your password here
cisco-gw# config terminal

cisco-gw(config)# access-list outside_nat extended permit ip
Use your pool network and subnet mask in the last two args above. cisco-gw(config)# nat (outside) 1 access-list outside_nat

cisco-gw(config)# group-policy DfltGrpPolicy attributes
cisco-gw(config-group-policy)# dns-server value
Replace IP above with first DNS server cisco-gw(config-group-policy)# nem enable cisco-gw(config-group-policy)# exit

cisco-gw(config)# group-policy VPNGroup attributes
Replace VPNGroup above with your group from earlier. cisco-gw(config-group-policy)# split-tunnel-policy tunnelall cisco-gw(config-group-policy)# split-tunnel-network-list none cisco-gw(config-group-policy)# exit

cisco-gw(config)# write memory

That’s it! Just open the Cisco VPN Client on your Mac and add a new connection profile with the group and user settings you configured on the ASA.

Letting Go…

Many people outside of the software development field (and some people in the field) may have the incorrect view that computer code is just cold, hard text written only to make a computer do something. While that may technically be correct, for people who genuinely enjoy coding the application code can be a warm, even living, being, constantly evolving over time to provide the user with an elegant means of accomplishing a task. When programming, I don’t think of myself necessarily as pumping out code. It’s more of a massaging of the project to get it to do something just right, and then a final smoothing of the bugs or gaps in the functionality to make it work perfectly.

Because of this almost art-like view of my career, it’s often difficult to stop working on a project. Then when you consider how many hundreds or thousands of hours you’ve invested in a project, walking away becomes next to impossible. However, I’ve reached a time in my career where I have decided to do just that.

//  MyWeatherAppDelegate.h
//  MyWeather
//  Created by Mike Piatek-Jimenez on 3/26/08.

Above is a copy of the code header for the first file to kick off the MyWeather Mobile project. March 26th, 2008: 4 months before the App Store opened, and only a few weeks after Apple released the iPhone SDK. After working with the team at Weather Central for almost 11 months, I’ve decided it’s time for me to let the project go. The reason for parting ways is not that I don’t enjoy working on the project. It’s more of a re-evaluation of priorities.

The thing is, I have a lot of ideas both for continuing my current Gaucho Software products, as well as ideas for entirely new projects I would like to bring to market. While consulting for the past 4 years, I keep finding myself looking back trying to figure out why I’m not able to be productive on my own apps. Sometimes I will go months without touching any Gaucho Software projects. I spent a good amount of time over the holidays reflecting on this problem, and I’ve determined that in order for me to continue working on Gaucho Software products in any productive form, continuing my consulting work just isn’t an option. So with Gaucho Software turning 5 years old this April 1st, I’ve decided to focus entirely on in-house apps from this point forward.

So with that, I hand over the reigns. Version 1.3 has already been uploaded to the App Store and is pending approval. Version 1.4 code is done and we are just waiting for some back-end features to be finished before the release next month. The team at Weather Central have been a joy to work with. Having the graphics, code, and data all merge together in an iPhone app is not a trivial task, but with this team it worked like magic. Graphics were readily available; the data pipes were overflowing; and all that was left was to write the code and bring it all together. I wish them the best of luck in continuing project development of the MyWeather Mobile application, as well as any other projects they decide to bring to the iPhone platform in the future…

© 2022 *Coder Blog

Theme by Anders NorenUp ↑