Saturday, July 5, 2014

AnyConnect VPN Client for iPhone

I tried to download the Cisco AnyConnect on my iPhone to experience VPN connectivity using a smartphone but wasn't successful on my first attempt. After the initial setup on the app, the ASA prompted the client that it had "No license."


I checked my ASA 5505 licenses using the show version command and saw the AnyConnect for Mobile is disabled. So I went to Cisco.com and found out there's a trial license that's good for 90 days (it actually gave me 91 days).

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual 
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual


Here's a link for ASA AnyConnect Mobile 90-day trial license. A valid SmartNet/CCO login is required.


Cisco will send the license key to your registered email address. Issue the activation-key command from privileged EXEC mode. The timebased key will immediately take effect and no reboot is required.

ASA5505# activation-key ?

  <0x0-0xffffffff>  Enter four-or-five-tuple activation-key
  noconfirm         Do not prompt for confirmation
ASA5505# activation-key 11580c70 bc7e2ac4 093d128a 4834133b 8abcdefg
Validating activation key. This may take a few minutes...
The requested key is a timebased key and is activated, it has 91 days remaining.


Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        91 days
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1423WXYZ
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc123456
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abcdefg
Configuration register is 0x1
Configuration last modified by cisco at 21:32:03.918 SGT Sat May 3 2014

Here are the screenshots to configure the AnyConnect Mobile on the iPhone.




Tap on the AnyConnect VPN to turn it ON and connect to the VPN.


Click on Details to view the certificate contents.



Type the Tunnel Group (aka Connection Profile), username and password that's created on the ASA.



After the AnyConnect mobile license was installed and the iPhone got connected to the VPN, it automatically created the ASA5505(IPSEC) entry.


 


I received the first IP address 10.1.1.10 from the AnyConnect/VPN DHCP pool.





 


I can now browse my VPN portal home page.


Here are the screenshots and syslogs captured from ASDM Real-Time Log Viewer.




This is the equivalent command in CLI.

ASA5505# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : anyconnect-user        Index        : 7
Assigned IP  : 10.1.1.10              Public IP    : 192.168.1.22
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium, AnyConnect for Mobile
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 3288                   Bytes Rx     : 43027
Group Policy : GroupPolicy_ANYCONNECT-PROF
Tunnel Group : ANYCONNECT-PROF
Login Time   : 21:50:59 SGT Sat May 3 2014
Duration     : 0h:01m:22s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A               
VLAN         : none

No comments:

Post a Comment