Cisco ASA IPSEC from the understanding of a site to tunnel auth using certificates

assuming that my company and another company (BBT) attempt to set up a tunnel to a site by using certificates. lets say we have asa 5520 s and have agreed to use says that our certification authority.

On my end, I do registration certificate using SCEP Protocol and suggests that the end BBT is set up exactly the same way.

First, I generate a pair of keys RSA - Im assuming that it is key to my ASA public private for the encryption and decryption-(pls correct me if wrong Im)

Then I set up a trustpoint to registration certificate (in this case, it will be Server CA Entrust). I will set up my full domain name and the parameters of CRL.

Then, I get a certificate of the AC CA. This package contains a fingerprint of the certificate which is loaded on my ASA. apparently - the fingerprint of the certificate is used by the 'end' entity to authenticate the received CA certificate. Why would the final entity to authenticate a CA certificate that has already been installed on this subject?
In other words, what really does this print? Surely this cant be the same footprint that GETS installed on the BBT ASA?

Finally, I request and install a certificate of identity. It asks for a password? I believe that it is used in case I want to make changes to the certificate, such as the revocation of the certificate. (Once again, please correct me if wrong Im)

a few additional questions

during the phase of authentication isakmp how my asa verifies that the certificate that the ASA BBT sent was indeed signed by the certification authority approved. How exactly?

My ASA and ASA BBT must trust the same CA. In other words, it must be set up the same trustpoints?
or can I have to entrust CA server as a trustpoint and verisign?

How the certificate authentication process works since the ASA receives valuable traffic through the exchange of encrypted data?

1 million thanks!

Hello west33637,

You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

I would try to separate your questions and see if I can answer.  I will speak without using the SCEP Protocol because it adds a layer of complexity that can be confusing.

(Q) Comment can I get a certificate?

1 generate a RSA key pair.  A pair of RSA keys as you indicate has a public and private key.  Public and private keys are large number created by multiplying the other prime number (very simple explanation).  These keys are used for encryption simple control.  The private key is kept private and never awarded.  The public key is provided for everyone through the certificate received from the device.

Data encrypted by the public key can only be decrypted by the private key and vice versa.

more details here: http://en.wikipedia.org/wiki/RSA

2. we create a trustpoint (container to configure and set parameters in the certificate).  In the trustpoint that we associate the RSA key pair, give a name (usually the FQDN of the server that will present this certificate), configure if certificates that are authenticated by the trustpoint must also be checked in the LCR... etc.

3. then we can create CSR using the crypto ca enroll command.  Now, we take this REA and provide it to Entrust.  If this is done via the SCEP protocol you would have already done the next step of the authentication of the trustpoint.

4. When you receive a certificate from a third party, such as Entrust, they should also provide the certificate chain that allows the authentication of the certificate that they have signed all the way upward at the root (self-signed certificate server, the certificate must already be approved by most of the systems of operation/web-browsers).  We want to install the string in the ASA because the ASA does not trust any certificate by default, it has an empty certificate store.

5. on the SAA, we now install the string provided by Entrust.  Usually your identification certificate will be signed by an intermediate CA, just like the certificate of supportforums.cisco.com.  Trustpoint ASA system for a CA (root or intermediate) and an ID (identity) by trustpoint.  So we will probably have at least a trustpoint more.

Crypto ca trustpoint Entrust_ROOT

Terminal registration

output

authenticate the crypto ca trustpoint Entrust_ROOT

Don't forget to use trustpoint names who will lead them to you and your organization.  Create a trustpoint for each of the CA certificates except for the signer of the certificate direct to your ID.  Authenticate the signer directly in the trustpoint even where you install your certificate ID.

the import of crypto ca trustpoint ID certificate.

You should now have a fully usable authenticated certificate.  PKCS12 import require a certificate to decrypt the private key that is stored in a PKCS12.  But if you generate your CSR on the same device that when you install the certificate, then it would not need to export PKCS12 and a password.

---

A small side is not on the signature, a signature of certificate (fingerprint), also known as the name of a digital signature is a hash of the certificate encrypted with the signer's private key.  As we know, whatever it is encrypted with a key only can be decrypted by the public key... all those who approves the signer's public key.  So when you receive the certificate, and you already trust the signer, then 1) to decrypt the signature and 2) check that your certificate hash table corresponds to the decrypted hash... If the decrypted hash does not match then you do not trust the certificate.

For example, you can watch the certificate for supportforums.cisco.com,

The topic is: CN = supportforums.cisco.com

The subject of sender (signatory) is CN = Akamai subordinate CA 3

Akamai subordinate CA 3 is an intermediate certification authority.  It is not self-signed

CN = Akamai subordinate CA 3 issuer is CN = GTE CyberTrust Global Root

CN = GTE CyberTrust Global Root is a certificate root (Self signed).

We would like to install this entire chain in the ASA so that we can provide this certificate and chain to any device and safely as long as this device trusts CN = GTE CyberTrust Global Root, then it should be able to verify the signatures of the intermediary and, finally, our certificate of identity of us trust.

---

Looking for another post to do a quick discussion about how the certificate is used in ISAKMP and IPSec.

Kind regards
Craig

Tags: Cisco Security

Similar Questions

  • Update problems, I just reinstalled XP pro and I can't get the updates from the windows update web site

    I just reinstalled XP pro and I can't get the updates from the windows update web site. Whats up with this please help

    There is no way that anyone might be able to help without more. My initial guess and it is just a guess, is that you have to update Internet Explorer .v8. Click HERE and download IE8 and install it. Try again updates once the installation is complete.

  • I installed Acrobat DC (upgrade) and it will not be installed. When is request a serial number from the previous it is not accepted. I use 9.0 which doesn't show in the drop-down window. How should I proceed?

    I installed Acrobat DC (upgrade) and it will not be installed. When is request a serial number from the previous it is not accepted. I use 9.0 which doesn't show in the drop-down window. How should I proceed?

    Hi davidm1224,

    I regret that we do not any version upgrade to Acrobat DC of Acrobat 9.

    You can buy the full version of Acrobat DC.

    For more details, please visit: Plans and prices | Adobe Acrobat DC

    Let us know if you encounter any problem.

    Concerning

    Meenakshi Negi

  • I want to extract information from the same input field in multipal PDFs (created using document pro) and export them to an excel file. Is this possible? If this isn't the case, Adobe seeks to make this project a reality.

    I want to extract information from the same input field in multipal PDFs (created using document pro) and export them to an excel file. Is this possible? If this isn't the case, Adobe seeks to make this project a reality.

    -Extract all data from a single file can be done via the tools - forms - more form Options - export data...

    -Extract some data from a single file will require a script to measure.

    -Extract all the data from multiple fields in a single file can be done via the tools - forms - more form Options - merge data files into spreadsheet...

    -Extraction of data from several files will require a script Custom Action, as I've written before.

  • I m error when i m to access the Manager version alb 3. "expired.the timeout period elapsed prior to obtaining a connection from the pool.this have bcz grouped all connection used and maximum pool size has been reached.

    Hi team,

    I m error when i m to access the Manager version alb 3. "expired.the timeout period elapsed prior to obtaining a connection from the pool.this have bcz grouped all connection used and maximum pool size has been reached.

    Please provide the solution.

    Concerning

    Ajay

    Discussion moved from the Knowledge Base of VMware Lab Manager

  • Documentation for cisco asa ipsec l2tp / windows 7

    Hello

    I need to configure a few cisco asa 5510's for remote access VPN using l2tp ipsec.  One of the requirements is that no additional vpn clients to connect.  We only use the client included in Windows 7 x 86.  Is there documentation on configuration of this device or a clear statement by saying that it is not taken in charge or possible yet?

    Thank you

    m.

    Hey well at least on the errors of phase 1 more.

    ASA is basically saying that's not the choice of the proposal.

    Here's what is configured...
    -------

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    -------

    Here is what is proped:

    -----

    (1) proposal payload

    Protocol-Id: PROTO_IPSEC_ESP

    Transform-Id: ESP_AES

    Encapsulation mode: the UDP Transport
    Key length: 128
    Authentication algorithm: SHA1

    (2) proposal payload

    Protocol-Id: PROTO_IPSEC_ESP

    Transform-Id: ESP_3DES

    Encapsulation mode: the UDP Transport
    Authentication algorithm: SHA1

    (3) proposal payload

    Protocol-Id: PROTO_IPSEC_ESP

    Transform-Id: ESP_DES

    Encapsulation mode: the UDP Transport
    Authentication algorithm: SHA1

    ------------------

    Please also visit:

    https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

    I see that you have 1 default set PFS is 0.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2193372

    NAT-traversal missing?

    https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html#wp1046219

  • All Cisco ASA 5510 have the IPS modules

    I am new to the use of Cisco Networking products. I gave me a mission to determine if our company 5510 and 5505 IPS/IDS. In doing my research I discoververed 5505 have no IPS/IDS, but you can buy a card and 5510 have modules IPS/IDS. How can I determine whether my 5510 modue (s) IPS/IDS

    only the new x (but not the 5585) ASAs have software modules. There on the 5505 and 5510 hw modules. But first, you must bring your ASA-access in the order. You can try different browsers, but also make sure that your Java is up to date.

    Sent by Cisco Support technique iPad App

  • interface web cisco ip phone from the computer LAN

    Hello

    On the uc540 the DATA VLAN is en 192.168.10.0 as the VLAN DATA it is en en 10.1.1.0, I want to access them from the local network the computer the my client who is en 192.168.0.0 to web interfaces of the cisco ip phone so by going to http://10.1.1.x without needing to modifier already exists, how can this be done? I have available in my not to a manageable switch that would allow me to integrate the lan that does not exist in the DATA VLAN of the CPU.

    Thanks for advance

    Hello

    The voice VLAN 10.1.1.0 is not routed in your network.

    Namely that workstations do not know that there is, and this due to the fact that their router default doesn't know not router network.

    Here's how to fix that little problem of routing:

    1 / if the default router for the positions in the VLAN data isn't the UC 500, just to add a static route in this router with the sub network 10.1.1.0 and address of next hop (IP address of the router that helps you achieve this subnet).

    For example: If the default router is a Cisco router, it is in the VLAN data with the UC500 and the UC500a as the IP address 192.168.0.1.

    conf term

    !

    Route IP 10.1.1.0 255.255.255.0 192.168.0.1

    !

    end

    2 / if we can't change this router by default, we must add a path in given work stations of the VLAN.

    In a post Windows you do that in a CMD window with the ROUTE ADD command

    c:\>route add 10.1.1.0 mask 255.255.255.0 192.168.0.1

    and you can check your local routing table with the command

    c:\>route print

    If you want that this road remains in positions of work even after a reboot, use option-p of the route command added

    c:\>route add 10.1.1.0 mask 255.255.255.0 192.168.0.1 Pei

    Control the Access-list!  : Of course, after having solved the problems of routing, assure you that there is not an access list that blocks traffic

    FINISH POUR a bit of security.  Allow access to the VLAN voice is not a good practice!

    As long as possible, to avoid to make the voice VLAN too accessible from anywhere. Therefore, a good practice is to not allow the VLAN data access to the VLAN voice.

    Patrick

  • Mac 0sx 10.7.3 set updated to OS x Lion 10.7.2 How to remove a free app ' Israel free toolbar' from the toolbar. He sits alone on the toolbar immediately under the bookmarks bar.

    Mac 0sx 10.7.3 set updated to OS x Lion 10.7.2
    How to remove a free app ' Israel free toolbar' from the toolbar.

    It sits alone on the toolbar immediately under Bookmark bar.

    See:

  • Photoshop is missing from the menu ' tools' drop-down bridge. I use CC Bridge and Photoshop CS6 on a Mac.

    Photoshop is missing from my bridge 'Tools' drop-down menu. I use CC Bridge and Photoshop CS6 on a Mac. I need to use the photoshop "image processor", but there is no tab of photoshop in the menu dropdown. There is no script Photoshop in my Bridge startup scripts, even after I have "reveal startup scripts. Any suggestions on how to remedy this?

    Odd. Should be here.

    Learn how to enable or disable Adobe applications.

  • Configuration Cisco ASA to shoot the AD user accounts

    I am trying to configure my asa cisco to authenticate with my ad instead of local accounts.  I followed the instructions at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml and when I test the server in the AAA server group (which is my windows AD server, I get a successful connection.)  However, when I connect the ssl site for my cisco vpn, it continues not to accept connections active directory, only local.  is there somewhere else I need to tie the aaa server groups?  What should I do?

    Hi Neal,

    Great to hear that, 5 points for the answer, now please mark it as answered so future users can learn from this problem and the answer.

    Kind regards

  • CISCO ASA 5515 WITH THE VERSION OF FIREPOWER

    ASA 5515 service with the power of fire. Can be managed with ASDM firepower. ?

    Anyone suggests Versions for firepower, ASDM, ASA?

    Kindly help

    You will find it useful to install the Module of firepower on ASA for the management of the premises:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/Quick_Start/SFR/firepo...

    Thank you

    Guillaume

    Rate if this can help!

  • I have the new version downloaded from the Illustrator on my iMac, but I would use it in my mac pro book.   How to install this on my mac pro book

    I bought the new Illustrator CC 2015 and downloaded to my iMac.  I wish I could use it on my mac pro book when away from home.  Is this possible and, if so, how do I install it on my mac book.  I have the trial version on my book for mac at the moment, but are unwilling to pay for it again.

    Check on the Help menu in Illustrator what email address is given to logout

    Make sure it is the same address that you archived your iMac

    If this is not the case, check and verify with the correct address.

  • A pdf file exported from InDesign, but displays various error messages when the same file is downloaded on the same laptop from the company's Web site

    Hello

    I'm having a problem with a pdf file created for my business. It exports without problems and displays correctly on my computer, but once it is transferred to the Web site and you download from here, pages randomly displayed not correctly, images and pieces of text go missing and different "internal error" messages pop up, such as:

    "An internal error has occurred."

    "There is an error on this page. Acrobat may not display the page correctly. Please contact the person who created the pdf document to correct the problem.

    "Failed to retrieve the embedded police"LICYDR + GaramondMT". Some characters may not display or print correctly.
    "Insufficient for an image.

    And when I close the pdf file it asks if I want to save even if I did not bring any changes to the document. It seems that everyone has problems with pages and receive different error messages. It is exported using the smallest file size preset in InDesign. Any idea what could be the cause? Any help would be greatly appreciated!


    Thank you

    Sarah

    One thing to check is if BINARY is used in the FTP client. If a client FTP ASCII is used, it may corrupt PDF files.

    Here's another thing to check yourself for you. Find the size in bytes of your original PDF. Now, look at the size of the uploaded file in bytes. Are they the same? If this is not the case, ask your colleague the size in bytes of the PDF file on the server. Is this the same as the original, or bad file?

  • Unable to VPN from the inside to another site

    I'm trying my site VPN to another site via VPN client and I can't do it.

    The two sites are not on the same network.

    I can use Citrix to connect to other websites with which we are working, but not of VPN.

    Is their a restriction on the 515e firewall that prevents me to talk to my internal LAN remote companies?

    No restrictions, but your sites need to know how to be able to route to the range of IP addresses that you have assigned to the VPN client. If you have an internal router, then by adding a static route pointing to the IP of the Client address range via the inside of the PIX can solve this problem, redistribute the static electricity in your IGP.

    I would like to know if that helps, if you not come back with details of configuration etc.

    Andy

Maybe you are looking for

  • Satellite C660 - keyboard lack characters while typing

    If I type a series of letters on the keyboard he decides to miss some characters and type them notI just had to go back and fix everything all the time Help, please.

  • Insulator usb and GPIB-USB-HS

    Hi all! I'm trying to control a range of aglient with a labview program. everything works well, but for my application the scope must be one reason other than the computer. so I bought a usb isolator: http://www.bb-europe.com/product_family.asp?Famil

  • When you type text, the cursor jumps ramdomly. How can this be repaired?

    Type the text in a word processor or an e-mail message, the cursor jumps randomly.  I know there's a relatively simple fix, but I don't know how to do it.

  • Pavilion a6230n Vista Recovery

    Impossible to find on the site of HP recovery disks I guess that they are not available. Vista sticker with the always readable product codes. My question is: Can I buy a copy of "system builder" of Win 7 and use the info on the Vista sticker to acti

  • Reactivation of my Windows 7 Home premium

    I bought Windows 7 Home premium aprx. a year back. My motherboard fried storm a week ago and I had to replace it. Now it is said that a hardware change was filed and my Windows 7 license has expired / product key is no longer valid. I can't activate