ASA unwanted certificate

Hi there,
Thanks for reading!
We've got a Series 800 SOHO with Ezvpn running.  It get connected to our internal network through our ASA 5520 just fine.  We have clients on the SOHO side which can ping and RDC to servers inside our network.
The SOHO clients are using MS Lync 2013 (instant messenger) which fails.  Packet captures reveal that the external Lync clients are receiving an SSL cert from the firewall when they should be receiving from the internal Lync server.  Running a capture against internal clients shows that working inside clients receive our GoDaddy cert and the program works.
Any thoughts on this?
Thanks!
Bob                  

Hi Moh,
Thanks for writing.
The behavior is unexpected.  The capture shows client-side sip-tls / Client Hello packets getting all the way to their appropriate internal server destination.  The returning Server Hello / Certificate packets (from the appropriate IP address to the appropriate IP address) names a specific CAP-RTP-001 certificate that is part of the 5520 configuration.
The client application throws a certificate error, apparently having received a certificate other than that from the intended server. 
The senior guys around here would drag their feet about an entire copy / paste of our FW config.  Are there relevant sections you'd like to see which I can snippet into this thread?
Thanks again for weighing in!
Bob

Similar Messages

  • ASA local certificate authority in failover

    folks
    i was setting up an ssl vpn on an asa 5540 (8.2) but can't set up the local ca authority
    its an active/standby failover pair
    i knew it wasn't enabled on active/active but i didn't realise it was also not enabled on active/passive
    has any one came across this or know whether it can be enabled?

    Hi Alejandro,
    CSCsm17487 is not a documentation bug but a enhancement request.
    You are right, it is not yet implemented so you won't be able to use the local CA in failover even if you upgrade to 9.X.
    If this feature is vital to you, I would advise to go to your account team so they can contact the ASA product team to prioritize it's implementation.
    The best (easiest) way to go IMHO is to use a router a CA instead of the ASA itself.
    Regards,
    Nicolas

  • Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                       Dear All,
    i have the folloing case :
    i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
    i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
    so what the setting of the mail and smtp server should be ,
    was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
    i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
    Best regards,

    Thanks Jennifer.
    I did manage to configure LDAP attribute map to the specific group policy.
    Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
    Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
    Example: let say my username is LLH.
    Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
    Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
    Only me know the preshared key and only me can login with my Connection Profile.
    Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
    Example:
    AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
    Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
    Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
    I hope above description can paint the scenario clearer.
    Thanks in advance for all the help and comment given.

  • IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

    hi all,
    I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
    I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
    thanks for your input!
    Samuel

    Samuel,
    Did you ever find an answer to your question? I have a similar scenario.
    Any input would be appreciated.

  • Cisco anyconnect 3.1 - Certificate Validation Failure.

    When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
    Prior to the test;
         On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
              * ASA identity certificate's have EKU attribute = Server Authentication,   Key Usage = Digital Signature, Key Encipherment.
         On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
              * Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
              * User Certificate's has EKU attribute = Client Authentication.
    As in the ASDM Logs, it almost work.
    In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
    Is there anyone could help.???
    Keshara from Sri Lanka.

    Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect. 

  • Cisco ASA and DNS

    We purchased a bunch of Cisco ASA 5505 for our branch offices. Offices are made up of less than 20 end points. We are using it as a firewall and DHCP server at hte moment but also assumed that it had DNS server capabilities.  Basically use it as a SOHO router.  My research thus far indicates that yes we can use the device as a dns server but it won't resolve locally defined hosts.  So it can relay dns request to an external dns server but won't allow me to configured an a record on the device itself.
    Can anyone verify this before I look into purchasing another device just to do local DNS server services?
    Thanks!

    Joe
    As far as i know the ASA cannot act as a DNS server nor can it act as a DNS relay. What you can do is -
    1) configure DNS servers on the ASA that can be used in certain situations for allowing the ASA to resolve a name to an IP. For example using the Botnet filter on the ASA, SSL certificates etc. require the ASA to be able to qurey external DNS servers.
    But this is for use by the ASA itself ie. it is used to resolve names within the ASA config. It is not used to allow clients to ask the ASA to resolve DNS names for them. So it can neither act as a DNS server itself nor can it pass on clients DNS queries to DNS servers.
    2) if you use the ASA to hand out IPs via DHCP you can add valid DNS servers within the DHCP config just as you can with Windows DHCP.
    Jon

  • Will zeroizing and regenerating the Default-RSA-Key affect any other general purpose keys on my ASA 5545x?

    I have an ASA 5545x that is a production device for receiving all AnyConnect VPN traffic for our organization. We purchased and installed a Comodo certificate to create the trust level necessary for our employees to connect. I'm attempting to enable SSH on the device for management purposes, but the current <Default-RSA-Key> does not allow me to initiate a valid SSH session. I have encountered this issue on other ASAs within our organization, and it hasn't been an issue to simply zeroize the current key and regenerate it to restore the ability to SSH to the devices. Where the snag comes in is that this 5545x is the only ASA that has a key installed that wasn't self signed. With that in mind, I have a few questions about whether 3rd-party signed keys are dependent on the self-signed keys on the device. I intend to zeroize both the <Default-RSA-Key> and the <Default-RSA-Key>.server certificates if they will not affect my VPN-associated Comodo key.
    Does the Comodo key depend on other keys existing on the ASA?
    Am I free to zeroize only the <Default-RSA-Key> without affecting the VPN associated Comodo key?
    Here is the result of the command "show crypto key mypubkey rsa" :
    Key pair was generated at: 12:02:29 CDT Aug 19 2014
    Key name: <Default-RSA-Key>
     Usage: General Purpose Key
     Modulus Size (bits): 1024
     Key Data:
    <Redacted>
    Key pair was generated at: 10:16:52 CDT Sep 20 2012
    Key name: my.comodo.key
     Usage: General Purpose Key
     Modulus Size (bits): 2048
     Key Data:
    <Redacted>
    Key pair was generated at: 01:35:42 CDT Jul 30 2014
    Key name: <Default-RSA-Key>.server
     Usage: Encryption Key
     Modulus Size (bits): 768
     Key Data:
    <Redacted>
    Thank you to any and all that assist me in understanding how the ASA handles certificate keys.

    As long as the Comodo-signed certificate is bound to the my.comodo.key private key (i.e. you used that key when generating the certificate signing request), you should be fine to zeroize the Default-RSA-Key. The latter should ideally only be used for ssh access.

  • Problem with Java-based application and WebVPN

    Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
    A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
    Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
    Any hint about where to search or what to try?
    Thanks.

    Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
    A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
    Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
    Any hint about where to search or what to try?
    Thanks.

  • AnyConnect 3.1 and Mac OS 10.8

    We are having trouble getting Mac OS10.8 systems to connect via AnyConnect 3.1 clients. We have not tested with anything but the 3.1 client, and when I say trouble I do not mean it cannot connect, it just connects and throws up a cert error in the client. The message states "Security Warning: Untrusted VPN server certificate".. Then it states below that in the warning window the following: "Certificate not identified for this purpose". When we go to the VPN's URL in Safari, there are no cert errors at all, Only when we start the connection with AnyConnect client. We have not yet tested with the Windows version of this AnyConnect client, but we have 1K+ Windows clients running AnyConnect2.5.6005 that connect without issue.   We know the cert is valid so I am asking for help identifying why the AnyConnect 3.1 for Mac is throwing out this security warning for our test users. Any help would be greatly appreciated.                 

    Hi there
    This is most likely due to:
    CSCty61472 Bug Details
    DOC: Anyconnect supports specific Extended Key Usage attributes in certs
    Symptom:
    When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..
    Conditions:
    Use an id certificate on the ASA that has an EKU other than "server-authentication".
    Use an id certificate on the client that has an EKU other than "client-authentication".
    Workaround:
    Generate a new ID certificate with the correct Extended Key Usage
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472
    CSCua89081 Bug Details
    DOC: specific Extended Key Usage rqrd in client certs for some 3.0 vers.
    Symptom:
    When using certificates with the anyconnect client if the client certificate doesn't have an EKU defined or very specific EKUs then the connection will be rejected.
    Conditions:
    Use an id certificate on the client that doesn't have an EKU
    Workaround:
    1. Generate a new ID certificate with the correct Extended Key Usage.
    or
    2. define an explicit cert matching policy in the client profile.
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89081
    Please verify your certificate and make sure it has valid EKU (Extended Key usage) and KU (key usage).
    HTH.
    Portu.
    Please rate any helpful posts
          

  • Accessing websites running on non-standard ports or with self-signed ssl certs?

    I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
    Anyone else noticed this?

    If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
    That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
    If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
    In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
    In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

  • Disabling SSLv3 on Cisco

    I have an ASA 5515X firewall running on software version 9.1(1). Does anyone know how to properly disable SSLv3 on this device? This is in regards to addressing the POODLE vulnerability. Thank you.

    you can try using v9.3(2) and only allow TLS1.2. Look at this thread:
    https://supportforums.cisco.com/discussion/12393656/asa-ssl-certificate-report-ssllabscom

  • Which One is Stronger Security?

    Hello Experts,
    I have two scenarios which I would like to hear your comments about:
    This is in regards to configuration of IKEV1 and IKEV2 in two different profiles and comparing their security level.
    When configuring  IKEV1, I use shared secret keys. A client must know this secret key to be able to VPN to a server.
    When configuring IKEV2, I use identity certificates in the ASA for the users to authenticate the server identity, but I do not configure SCEP for server to authenticate the clients. In this scenario there is no secret key configured (IKEV2 does not allow for secret keys but ONLY certificates) so any client can VPN to the server if accepts the server certificate.
    Please note:
    Both of the above configs are only for IPSEC. I am not talking about any SSL VPN.
    I know that implementing SCEP would be ideal and better security, but my question is only to compare the above two scenarios.
    Thank you,
    Razi

    Hi Marcin,
    Thank you very much for the useful clarification.
    I have configured an ASA with IPSEC IKEV2 remote access VPN where only server authentication through "Identity certificate" is required. The steps I have done.
    - created a CSR on the ASA
    - sent it to public CA and received the cert and installed it on the ASA
    - Installed the CA's cert chain on the client computer.
    So if I understand correctly, this allows only for server authentication which works perfectly. You mention that mutual authentication of server and client is an "RFC mandate". (If I understand it correctly) so is it that Cisco's implementation is not compliant with RFC mandate?
    And although the above configuration is using certificates, it is still weaker security compared to PSK because it is only one way authentication (only server authentication). Is this right? do you understand this the same way I understand?
    Now if I plan to implement two-way or mutual authentication of both server and client, I have either to use the ASA as Certificat Authority to authenticate clients or use another PKI infrastructure (like windows servers) to do the client authentication. This way I believe would be the most secure and of course costs more in terms of setting a PKI infrastructure. Any comment or any other way of doing it?
    Thank you,
    Razi

  • ASA5505 IPSEC only with Self-Signed certs

    Hello all,
    I have limited Cisco training and have been tasked with a pilot project. We have scavenged the ASA from another department, but I have no access to support. It's running ASA v9.1 and ASDM 7.1 . If all goes well I'll be sent on training and we will be purchasing a nice 5520.
    So I've scoured the internet for an easy guide to do as my tittle says, but am having major difficulties. I can find lots of support for SSL VPN with Self-signed or IPSEC VPN with externally signed certs but I can't get ASA self-signed IPSEC IKEv2 only with certificate authentication. Also, to make it even worse, I need to provide the user with the software, profile and certificate by hand. No web-access portal or download.
    If you know where I can get good setup guide for this type of use please by all means save me here . If this isn't even possible I'm cool with that, just let me know.
    Thanks fo any help you can provide
    Jay

    If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
    That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
    If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
    In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
    In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

  • Cisco ASA 5505 and comodo SSL certificate

    Hey All,
    I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
    Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
    On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
    What am I missing here? I can post config if anyone needs it.
    (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

    It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
    ASA Version 9.0(2)
    hostname MyDomain-firewall-1
    domain-name MyDomain.com
    enable password omitted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd omitted
    names
    name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
    name 10.200.0.0 MyDomain_New_IP description MyDomain_New
    name 10.100.0.0 MyDomain-Old description Inside_Old
    name XXX.XXX.XX.XX Provider description Provider_Wireless
    name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
    name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
    ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
    ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address Cisco_ASA_5505 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Provider 255.255.255.252
    boot system disk0:/asa902-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 10.0.3.21
    domain-name MyDomain.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network MyDomain-Employee
    subnet 192.168.208.0 255.255.255.0
    description MyDomain-Employee
    object-group network Inside-all
    description All Networks
    network-object MyDomain-Old 255.255.254.0
    network-object MyDomain_New_IP 255.255.192.0
    network-object host MyDomain-Inside
    access-list inside_access_in extended permit ip any4 any4
    access-list split-tunnel standard permit host 10.0.13.1
    pager lines 24
    logging enable
    logging buffered errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
    route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
    route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
    route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record "Network Access Policy Allow VPN"
    description "Must have the Network Access Policy Enabled to get VPN access"
    aaa-server LDAP_Group protocol ldap
    aaa-server LDAP_Group (inside) host 10.0.3.21
    ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http MyDomain_New_IP 255.255.192.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    no validation-usage
    no accept-subordinates
    no id-cert-issuer
    crl configure
    crypto ca trustpoint VPN
    enrollment terminal
    fqdn vpn.mydomain.com
    subject-name CN=vpn.mydomain.com,OU=IT
    keypair vpn.mydomain.com
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpool policy
    crypto ca server
    shutdown
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
        omitted
      quit
    crypto ca certificate chain VPN
    certificate
        omitted
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca
        omitted
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint VPN
    telnet timeout 5
    ssh MyDomain_New_IP 255.255.192.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
    ssl trust-point VPN outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
    anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
    anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
    anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value MyDomain.com
    group-policy MyDomain-Employee internal
    group-policy MyDomain-Employee attributes
    wins-server none
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value MyDomain.com
    webvpn
      anyconnect profiles value MyDomain-employee type user
    username MyDomainadmin password omitted encrypted privilege 15
    tunnel-group MyDomain-Employee type remote-access
    tunnel-group MyDomain-Employee general-attributes
    address-pool MyDomain-Employee-Pool
    authentication-server-group LDAP_Group LOCAL
    default-group-policy MyDomain-Employee
    tunnel-group MyDomain-Employee webvpn-attributes
    group-alias MyDomain-Employee enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
    : end
    asdm image disk0:/asdm-712.bin
    asdm location MyDomain_New_IP 255.255.192.0 inside
    asdm location MyDomain-Inside 255.255.255.255 inside
    asdm location MyDomain-Old 255.255.254.0 inside
    no asdm history enable

  • Client certificate authentication on ASA 5520

    Hi,
    We have configured certificate authentication for remote access IPSEC vpn and it is working fine.   This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
    We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
    How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA?    What is the process to follow on the GUI to do this?     Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

    Hi Paul,
    I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
    I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
    Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
    And that it.
    Vincent

Maybe you are looking for

  • Aperture picture files...can I get them in the Finder?

    I'm using Aperture 2.1. I know Aperture stores it's images in a library like iPhoto...but is there a way to get to the pictures in the Finder so I can open them or copy and paste? Message was edited by: wtgilles

  • In PI 7.1 better performance is reached using RFC or Proxy?

    Hello Experts, As with PI 7.1 which one would be better option to have better performance? 1)Proxy which goes through the Integration Engine by omiting Advance adaptor Engine 2)RFC which goes through the AAE by omiting Integration Engine As we know t

  • Arm strap for the Zen Mic

    I'd like to take my Micro to the gym, but I need an arm strap because I'm afraid of bumping the unit with a weight if I were to clip it to my waist. Could anyone recommend a good arm band/strap that will fit the player snugly? Anything specifically m

  • Would publishing muse site with changes affect SEO??

    Hi, can you brief me on how Muse SEO works? Everytime I make publish a site, the 'DIV ID; keeps changing. Does it effect my SEO?? Would that gring down my Google ranking? Please advice.

  • Flex 4.5 update

    Hello, I noticed that there is an update announced for the Flex 4.5 framework, in June. This would allow creation of Flex Mobile Projects with full support for iOS. Does anyone know if this would enable loading external compiled code? Or maybe this i