ASA unwanted certificate
Hi there,
Thanks for reading!
We've got a Series 800 SOHO with Ezvpn running. It get connected to our internal network through our ASA 5520 just fine. We have clients on the SOHO side which can ping and RDC to servers inside our network.
The SOHO clients are using MS Lync 2013 (instant messenger) which fails. Packet captures reveal that the external Lync clients are receiving an SSL cert from the firewall when they should be receiving from the internal Lync server. Running a capture against internal clients shows that working inside clients receive our GoDaddy cert and the program works.
Any thoughts on this?
Thanks!
Bob
Hi Moh,
Thanks for writing.
The behavior is unexpected. The capture shows client-side sip-tls / Client Hello packets getting all the way to their appropriate internal server destination. The returning Server Hello / Certificate packets (from the appropriate IP address to the appropriate IP address) names a specific CAP-RTP-001 certificate that is part of the 5520 configuration.
The client application throws a certificate error, apparently having received a certificate other than that from the intended server.
The senior guys around here would drag their feet about an entire copy / paste of our FW config. Are there relevant sections you'd like to see which I can snippet into this thread?
Thanks again for weighing in!
Bob
Similar Messages
-
ASA local certificate authority in failover
folks
i was setting up an ssl vpn on an asa 5540 (8.2) but can't set up the local ca authority
its an active/standby failover pair
i knew it wasn't enabled on active/active but i didn't realise it was also not enabled on active/passive
has any one came across this or know whether it can be enabled?Hi Alejandro,
CSCsm17487 is not a documentation bug but a enhancement request.
You are right, it is not yet implemented so you won't be able to use the local CA in failover even if you upgrade to 9.X.
If this feature is vital to you, I would advise to go to your account team so they can contact the ASA product team to prioritize it's implementation.
The best (easiest) way to go IMHO is to use a router a CA instead of the ASA itself.
Regards,
Nicolas -
Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN
Dear All,
i have the folloing case :
i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
so what the setting of the mail and smtp server should be ,
was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
Best regards,Thanks Jennifer.
I did manage to configure LDAP attribute map to the specific group policy.
Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
Example: let say my username is LLH.
Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
Only me know the preshared key and only me can login with my Connection Profile.
Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
Example:
AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
I hope above description can paint the scenario clearer.
Thanks in advance for all the help and comment given. -
IP Phone SSL VPN to ASA for multiple CUCM (CallManager)
hi all,
I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
thanks for your input!
SamuelSamuel,
Did you ever find an answer to your question? I have a similar scenario.
Any input would be appreciated. -
Cisco anyconnect 3.1 - Certificate Validation Failure.
When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
Prior to the test;
On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
* ASA identity certificate's have EKU attribute = Server Authentication, Key Usage = Digital Signature, Key Encipherment.
On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
* Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
* User Certificate's has EKU attribute = Client Authentication.
As in the ASDM Logs, it almost work.
In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
Is there anyone could help.???
Keshara from Sri Lanka.Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect.
-
We purchased a bunch of Cisco ASA 5505 for our branch offices. Offices are made up of less than 20 end points. We are using it as a firewall and DHCP server at hte moment but also assumed that it had DNS server capabilities. Basically use it as a SOHO router. My research thus far indicates that yes we can use the device as a dns server but it won't resolve locally defined hosts. So it can relay dns request to an external dns server but won't allow me to configured an a record on the device itself.
Can anyone verify this before I look into purchasing another device just to do local DNS server services?
Thanks!Joe
As far as i know the ASA cannot act as a DNS server nor can it act as a DNS relay. What you can do is -
1) configure DNS servers on the ASA that can be used in certain situations for allowing the ASA to resolve a name to an IP. For example using the Botnet filter on the ASA, SSL certificates etc. require the ASA to be able to qurey external DNS servers.
But this is for use by the ASA itself ie. it is used to resolve names within the ASA config. It is not used to allow clients to ask the ASA to resolve DNS names for them. So it can neither act as a DNS server itself nor can it pass on clients DNS queries to DNS servers.
2) if you use the ASA to hand out IPs via DHCP you can add valid DNS servers within the DHCP config just as you can with Windows DHCP.
Jon -
I have an ASA 5545x that is a production device for receiving all AnyConnect VPN traffic for our organization. We purchased and installed a Comodo certificate to create the trust level necessary for our employees to connect. I'm attempting to enable SSH on the device for management purposes, but the current <Default-RSA-Key> does not allow me to initiate a valid SSH session. I have encountered this issue on other ASAs within our organization, and it hasn't been an issue to simply zeroize the current key and regenerate it to restore the ability to SSH to the devices. Where the snag comes in is that this 5545x is the only ASA that has a key installed that wasn't self signed. With that in mind, I have a few questions about whether 3rd-party signed keys are dependent on the self-signed keys on the device. I intend to zeroize both the <Default-RSA-Key> and the <Default-RSA-Key>.server certificates if they will not affect my VPN-associated Comodo key.
Does the Comodo key depend on other keys existing on the ASA?
Am I free to zeroize only the <Default-RSA-Key> without affecting the VPN associated Comodo key?
Here is the result of the command "show crypto key mypubkey rsa" :
Key pair was generated at: 12:02:29 CDT Aug 19 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
<Redacted>
Key pair was generated at: 10:16:52 CDT Sep 20 2012
Key name: my.comodo.key
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
<Redacted>
Key pair was generated at: 01:35:42 CDT Jul 30 2014
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
<Redacted>
Thank you to any and all that assist me in understanding how the ASA handles certificate keys.As long as the Comodo-signed certificate is bound to the my.comodo.key private key (i.e. you used that key when generating the certificate signing request), you should be fine to zeroize the Default-RSA-Key. The latter should ideally only be used for ssh access.
-
Problem with Java-based application and WebVPN
Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
Any hint about where to search or what to try?
Thanks.Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
Any hint about where to search or what to try?
Thanks. -
AnyConnect 3.1 and Mac OS 10.8
We are having trouble getting Mac OS10.8 systems to connect via AnyConnect 3.1 clients. We have not tested with anything but the 3.1 client, and when I say trouble I do not mean it cannot connect, it just connects and throws up a cert error in the client. The message states "Security Warning: Untrusted VPN server certificate".. Then it states below that in the warning window the following: "Certificate not identified for this purpose". When we go to the VPN's URL in Safari, there are no cert errors at all, Only when we start the connection with AnyConnect client. We have not yet tested with the Windows version of this AnyConnect client, but we have 1K+ Windows clients running AnyConnect2.5.6005 that connect without issue. We know the cert is valid so I am asking for help identifying why the AnyConnect 3.1 for Mac is throwing out this security warning for our test users. Any help would be greatly appreciated.
Hi there
This is most likely due to:
CSCty61472 Bug Details
DOC: Anyconnect supports specific Extended Key Usage attributes in certs
Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..
Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".
Workaround:
Generate a new ID certificate with the correct Extended Key Usage
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472
CSCua89081 Bug Details
DOC: specific Extended Key Usage rqrd in client certs for some 3.0 vers.
Symptom:
When using certificates with the anyconnect client if the client certificate doesn't have an EKU defined or very specific EKUs then the connection will be rejected.
Conditions:
Use an id certificate on the client that doesn't have an EKU
Workaround:
1. Generate a new ID certificate with the correct Extended Key Usage.
or
2. define an explicit cert matching policy in the client profile.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89081
Please verify your certificate and make sure it has valid EKU (Extended Key usage) and KU (key usage).
HTH.
Portu.
Please rate any helpful posts
-
Accessing websites running on non-standard ports or with self-signed ssl certs?
I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
Anyone else noticed this?If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate. -
I have an ASA 5515X firewall running on software version 9.1(1). Does anyone know how to properly disable SSLv3 on this device? This is in regards to addressing the POODLE vulnerability. Thank you.
you can try using v9.3(2) and only allow TLS1.2. Look at this thread:
https://supportforums.cisco.com/discussion/12393656/asa-ssl-certificate-report-ssllabscom -
Which One is Stronger Security?
Hello Experts,
I have two scenarios which I would like to hear your comments about:
This is in regards to configuration of IKEV1 and IKEV2 in two different profiles and comparing their security level.
When configuring IKEV1, I use shared secret keys. A client must know this secret key to be able to VPN to a server.
When configuring IKEV2, I use identity certificates in the ASA for the users to authenticate the server identity, but I do not configure SCEP for server to authenticate the clients. In this scenario there is no secret key configured (IKEV2 does not allow for secret keys but ONLY certificates) so any client can VPN to the server if accepts the server certificate.
Please note:
Both of the above configs are only for IPSEC. I am not talking about any SSL VPN.
I know that implementing SCEP would be ideal and better security, but my question is only to compare the above two scenarios.
Thank you,
RaziHi Marcin,
Thank you very much for the useful clarification.
I have configured an ASA with IPSEC IKEV2 remote access VPN where only server authentication through "Identity certificate" is required. The steps I have done.
- created a CSR on the ASA
- sent it to public CA and received the cert and installed it on the ASA
- Installed the CA's cert chain on the client computer.
So if I understand correctly, this allows only for server authentication which works perfectly. You mention that mutual authentication of server and client is an "RFC mandate". (If I understand it correctly) so is it that Cisco's implementation is not compliant with RFC mandate?
And although the above configuration is using certificates, it is still weaker security compared to PSK because it is only one way authentication (only server authentication). Is this right? do you understand this the same way I understand?
Now if I plan to implement two-way or mutual authentication of both server and client, I have either to use the ASA as Certificat Authority to authenticate clients or use another PKI infrastructure (like windows servers) to do the client authentication. This way I believe would be the most secure and of course costs more in terms of setting a PKI infrastructure. Any comment or any other way of doing it?
Thank you,
Razi -
ASA5505 IPSEC only with Self-Signed certs
Hello all,
I have limited Cisco training and have been tasked with a pilot project. We have scavenged the ASA from another department, but I have no access to support. It's running ASA v9.1 and ASDM 7.1 . If all goes well I'll be sent on training and we will be purchasing a nice 5520.
So I've scoured the internet for an easy guide to do as my tittle says, but am having major difficulties. I can find lots of support for SSL VPN with Self-signed or IPSEC VPN with externally signed certs but I can't get ASA self-signed IPSEC IKEv2 only with certificate authentication. Also, to make it even worse, I need to provide the user with the software, profile and certificate by hand. No web-access portal or download.
If you know where I can get good setup guide for this type of use please by all means save me here . If this isn't even possible I'm cool with that, just let me know.
Thanks fo any help you can provide
JayIf the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate. -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
Client certificate authentication on ASA 5520
Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent
Maybe you are looking for
-
Aperture picture files...can I get them in the Finder?
I'm using Aperture 2.1. I know Aperture stores it's images in a library like iPhoto...but is there a way to get to the pictures in the Finder so I can open them or copy and paste? Message was edited by: wtgilles
-
In PI 7.1 better performance is reached using RFC or Proxy?
Hello Experts, As with PI 7.1 which one would be better option to have better performance? 1)Proxy which goes through the Integration Engine by omiting Advance adaptor Engine 2)RFC which goes through the AAE by omiting Integration Engine As we know t
-
I'd like to take my Micro to the gym, but I need an arm strap because I'm afraid of bumping the unit with a weight if I were to clip it to my waist. Could anyone recommend a good arm band/strap that will fit the player snugly? Anything specifically m
-
Would publishing muse site with changes affect SEO??
Hi, can you brief me on how Muse SEO works? Everytime I make publish a site, the 'DIV ID; keeps changing. Does it effect my SEO?? Would that gring down my Google ranking? Please advice.
-
Hello, I noticed that there is an update announced for the Flex 4.5 framework, in June. This would allow creation of Flex Mobile Projects with full support for iOS. Does anyone know if this would enable loading external compiled code? Or maybe this i