IPAD Cisco VPN client - Disable transparent tunneling

lffit
lffit used Ask the Experts™
on
Our Cisco ASA is configured to allow connections from the Cisco IPSec VPN client. Recently we've noticed our users with Verizon Internet are not able to connect to the gateway unless the Enable Transparent Tunneling option is disabled under transport settings. Once this checkbox is unchecked, the VPN connection is successful.

Some of our executives use the built-in Cisco client on the IPad to connect to the VPN. These users are not able to connect when on the Verizon network. I cannot find any way to check whether transparent tunneling is configured or not in the VPN Client.

So the question is "is there a way to make sure the built-in Cisco VPN c;lient is not using transparent tunneling?"
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You might have a better experience using Anyconnect and Anyconnect Mobile as instead of using IPSec and the issues that some mobile networks have with IPSec, connection onlyu requires connectivity over port 443, the same as a HTTPS website.

If you do not use any of the "Anyconnect Premium" features, you would need to get an Anyconnect essentials licence to change the Anyconnect capability from just two clients to the total VPN pool count, and for teh mobile users you would need the Anyconnect mobile licence which allows the iPhone and iPad client to connect, from memory the Anyconnect essentials licence is ~$150 for an ASA 5510 and the Anyconnect Mobile licence is similar.

Author

Commented:
This is not the solution that we're looking for since we can't update our ASA. I can't accept this as the solution.
The answer to your question is "it not possible to disable transparent tunnelling on the iPhone of iPad either on the device or with the iPhone Configuration Utility"

I was attempting to soften this by suggesting a work around, granted a one off ~$300 licence cost plus engineering time to enable, but one that would probably work. It is not an "upgrade" just an additional licence to "unlock" additional functionality.

If you already know and understand the following, apologies, but it might be useful for anyone else following this thread.

From here

Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.

Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with your device's vendor to verify whether this limitation exists. Some vendors support Protocol-50 (ESP) Port Address Translation (IPSec passthrough), which might let you operate without enabling transparent tunneling.

Transparent tunnelling is designed to to "workaround" "bad" NAT implementations.

From the sound of it Verizon have gone one better than "bad" and are blocking the "workaround"

As Verizon sell the iPhone and the iPad, you might want to take this up with your Verizon account manager.

if you take a look at the output from the iPhone Configuration utility, you will see that it is an XML file. It is possible that there is an undocumented method of modifying transparent tunnelling, but unless you already have a high level contact at Apple, trying to find out would probably turn into a very frustrating waste of time, I say this after trying to get information from Apple on a two thousand seat iPhone 3G deployment.

L2TP would also require you to upgrade to either Anyconnect Essentials or AnyConnect Premium.

PPTP is not supported on the ASA, but you could run a PPTP server inside the ASA and forward PPTP traffic to it. PPTP is however not as secure as IPSec.

Author

Commented:
We can try the anyconnect option since we do have 2 seats. Thanks for the detailed respsonse.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial