By on October 21, 2011 in This was a proof of concept that I worked on with @xrobx99. Thanks @xrobx99 for your help.
We were interested in how our users could access SharePoint behind our firewall on their mobile devices. We currently have an Cisco ASA in front of our organization. Idea is this: user receives an email notification from SharePoint that they need to approve a workflow.
Email comes with a link and user clicks it on their Apple iOS device. That click would start an on demand VPN session to our ASA and the user be able to reach the SharePoint. This is how we got it all working. First, you need to setup certificate authentication for your asa. If you don’t already have a PKI, then you can run a certificate server on your ASA.
Tunnel-group x.x.x.x ipsec-attributes pre-shared-key mysecretkey. Enable isakmp on the your outside interface if you haven’t already. If you are initiating the tunnel traffic, and have multiple clients you will want to use a NAT overload statement. Use a object group to define your source NAT traffic. Feb 16, 2017 For remote-access VPN, i forwarded UDP-Ports 500 and 4500 and TCP/443 to the private ipv4 address of my ASA, and can establish the VPN to the public IP address of the DSL-Router (IKEv1 VPN with NAT-T to UDP ports 500 and 4500, anyconnect SSL VPN to TCP port 443).
Looking at this it is not that difficult to setup a local CA. That post describes how to do it via command line, to enable a CA vi asdm go to: Configuration Remote Access VPN Certificate Management Local Certificate Authority Clicking the enable box generates the following code: crypto ca server smtp from-address [email protected] no shutdown passphrase secret Next add a user: After adding a user, grab the One Time Password (OTP) and log into the enrollment site: This will download a.p12 file which I double clicked and added to my keychain (mac user). We will Add a new tunnel-group Next step was to set a a group-url for a new tunnel-group. We did this because we wanted the ability to log in with both passwords and certificates. This is what our tunnel groups looked like: tunnel-group default webvpn-attributes group-url enable tunnel-group certificate webvpn-attributes authentication certificate group-url enable Add Certificate to iPhone Confiuration App Fire up the iPhone confiruation utility and create a new Configuration Profile. Scroll down to “Credentials” section and add the.p12 file with the OTP. Next go to the VPN section to add the address of the ASA and check the on demand box for the the site.
Share the new configuration profile and apply it to your phone. Now when you try to access a url that matches the on demand urls in the vpn section of the iPhone profile, the AnyConnect client will connect to the url that allows certificate authentication.
The certificate that you included in the profile will authenticate you, and you are in! This was fun to put together!