I bought a Cisco ASA 5505 about 6 months ago, and love it so far. While setting up a VPN between my iPod touch and the ASA was straightforward, I was less fortunate when trying to get the same thing working from my MacBook Pro. Here’s a description of how to configure the ASA VPN so both devices work.
First, let me give a brief outline of what I am trying to do. I want both my iPod touch and my MacBook Pro to be able to connect to the Cisco ASA box over a VPN interface. Once the VPN has been established, I want all of my internet traffic to go first to the ASA and then out to the rest of the internet from there (otherwise known as split-tunneling in network jargon). With a default VPN setup on the ASA, this works fine from the iPhone, but from the Mac I was only able to access the internal network. The rest of my internet traffic just wouldn’t get sent. Note that this configuration will not work with Mac OS X’s L2TP VPN client, you’ll need to install the Cisco VPN client instead.
The solution isn’t too difficult. First, setup a fairly default VPN configuration on the ASA. Use the VPN Wizard on the ASDM console with the following settings…
Page 1 VPN Tunnel Type: Remote Access VPN Tunnel Interface: outside Check the box to enable inbound IPsec sessions to bypass interface access lists.
Page 2 Select Cisco VPN Client for the client type.
Page 3 Select Pre-shared key for authentication method, typing a password into the Pre-Shared Key field. Type in a Tunnel Group Name to use, which will be used again later. I’ll use VPNGroup as an example.
Page 4 Authenticate using the local user database.
Page 5 Make sure your ASDM username is in the list on the right side, so you are able to connect to the VPN with that account.
Page 6 If you haren’t already, create a IP address pool to use for VPN connections. This is an IP range within your internal network. I use 192.168.1.128 with a subnet mask of 255.255.255.240.
Page 7 Type in your primary and secondary DNS servers into the box. I also set my default domain name to my domain (gauchosoft.com).
Page 8 Leave everything default: Encryption is 3DES, Authentication is SHA, and DH Group is 2.
Page 9 Again, leave everything default. Encryption is 3DES and Authentication is SHA.
Page 10 Leave everything as-is, except check the box at the bottom to enable split tunneling.
Page 11 Click Finish and you are done.
Now, your iPhone should be working just fine. Just go into the VPN preferences and setup a new IPSec configuration with your server, user account/password, and group name/pre-shared secret. Unfortunately, the Mac will not be able to access the entire internet when connected to the VPN. To fix this issue, some additional configuration needs to take place in a terminal connection to the ASA box. If you haven’t already, enable SSH access to the ASA box and login. Then run the following commands: (comments in red)
Password: your password here
cisco-gw# config terminal
cisco-gw(config)# access-list outside_nat extended permit ip 192.168.1.128 255.255.255.240
Use your pool network and subnet mask in the last two args above. cisco-gw(config)# nat (outside) 1 access-list outside_nat
cisco-gw(config)# group-policy DfltGrpPolicy attributes
cisco-gw(config-group-policy)# dns-server value 220.127.116.11
Replace IP above with first DNS server cisco-gw(config-group-policy)# nem enable cisco-gw(config-group-policy)# exit
cisco-gw(config)# group-policy VPNGroup attributes
Replace VPNGroup above with your group from earlier. cisco-gw(config-group-policy)# split-tunnel-policy tunnelall cisco-gw(config-group-policy)# split-tunnel-network-list none cisco-gw(config-group-policy)# exit
cisco-gw(config)# write memory
That’s it! Just open the Cisco VPN Client on your Mac and add a new connection profile with the group and user settings you configured on the ASA.