Migrate certificates on Cisco ASA

Hello

I'm migrating an ASA5520 to an ASA5525-x. I'm just going through the configs and copy the bias.

How can I migrate on certificates?

Thank you

If it's a public certificate signed PKI, not easily. You must have the private key of the server (ASA) for use on an another ASA. Unless you checked exportable at creation time, it is not exportable by default.

You could inform you as to whether the issuer will be re-edited if you submit a new CSR.

Tags: Cisco Security

Similar Questions

Cisco ASA 55xx. Backup/restore an external certificate signed with ASDM

I have a Cisco ASA 5510, which is used for our VPN. It has an externally signed certs from Digicert. I replace the 5510 with a Cisco 5545 and wondered with ASDM can I save the cert of the 5510 and give the 5545. Or should I get an another reissued certs from Digicert and install from scratch. Is there something to look out for that set games with public/private keys, etc. Please let me know.

You guessed it right, Edwin

As long as you want just to maintain the certificate configuration, it is what you need to.
Make sure that you install the root and root under new ASA certificate as well as one can extract this PKCS12 certificate.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?

n00b questions.

I have to renew my SSL certificate of identity soon on my Cisco ASA 5505. I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?

Hi dsartoros,

If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".

If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Cisco ASA IPSEC from the understanding of a site to tunnel auth using certificates

assuming that my company and another company (BBT) attempt to set up a tunnel to a site by using certificates. lets say we have asa 5520 s and have agreed to use says that our certification authority.

On my end, I do registration certificate using SCEP Protocol and suggests that the end BBT is set up exactly the same way.

First, I generate a pair of keys RSA - Im assuming that it is key to my ASA public private for the encryption and decryption-(pls correct me if wrong Im)

Then I set up a trustpoint to registration certificate (in this case, it will be Server CA Entrust). I will set up my full domain name and the parameters of CRL.

Then, I get a certificate of the AC CA. This package contains a fingerprint of the certificate which is loaded on my ASA. apparently - the fingerprint of the certificate is used by the 'end' entity to authenticate the received CA certificate. Why would the final entity to authenticate a CA certificate that has already been installed on this subject?
In other words, what really does this print? Surely this cant be the same footprint that GETS installed on the BBT ASA?

Finally, I request and install a certificate of identity. It asks for a password? I believe that it is used in case I want to make changes to the certificate, such as the revocation of the certificate. (Once again, please correct me if wrong Im)

a few additional questions

during the phase of authentication isakmp how my asa verifies that the certificate that the ASA BBT sent was indeed signed by the certification authority approved. How exactly?

My ASA and ASA BBT must trust the same CA. In other words, it must be set up the same trustpoints?
or can I have to entrust CA server as a trustpoint and verisign?

How the certificate authentication process works since the ASA receives valuable traffic through the exchange of encrypted data?

1 million thanks!

Hello west33637,

You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

I would try to separate your questions and see if I can answer. I will speak without using the SCEP Protocol because it adds a layer of complexity that can be confusing.

(Q) Comment can I get a certificate?

1 generate a RSA key pair. A pair of RSA keys as you indicate has a public and private key. Public and private keys are large number created by multiplying the other prime number (very simple explanation). These keys are used for encryption simple control. The private key is kept private and never awarded. The public key is provided for everyone through the certificate received from the device.

Data encrypted by the public key can only be decrypted by the private key and vice versa.

more details here: http://en.wikipedia.org/wiki/RSA

2. we create a trustpoint (container to configure and set parameters in the certificate). In the trustpoint that we associate the RSA key pair, give a name (usually the FQDN of the server that will present this certificate), configure if certificates that are authenticated by the trustpoint must also be checked in the LCR... etc.

3. then we can create CSR using the crypto ca enroll command. Now, we take this REA and provide it to Entrust. If this is done via the SCEP protocol you would have already done the next step of the authentication of the trustpoint.

4. When you receive a certificate from a third party, such as Entrust, they should also provide the certificate chain that allows the authentication of the certificate that they have signed all the way upward at the root (self-signed certificate server, the certificate must already be approved by most of the systems of operation/web-browsers). We want to install the string in the ASA because the ASA does not trust any certificate by default, it has an empty certificate store.

5. on the SAA, we now install the string provided by Entrust. Usually your identification certificate will be signed by an intermediate CA, just like the certificate of supportforums.cisco.com. Trustpoint ASA system for a CA (root or intermediate) and an ID (identity) by trustpoint. So we will probably have at least a trustpoint more.

Crypto ca trustpoint Entrust_ROOT

Terminal registration

output

authenticate the crypto ca trustpoint Entrust_ROOT

Don't forget to use trustpoint names who will lead them to you and your organization. Create a trustpoint for each of the CA certificates except for the signer of the certificate direct to your ID. Authenticate the signer directly in the trustpoint even where you install your certificate ID.

the import of crypto ca trustpoint ID certificate.

You should now have a fully usable authenticated certificate. PKCS12 import require a certificate to decrypt the private key that is stored in a PKCS12. But if you generate your CSR on the same device that when you install the certificate, then it would not need to export PKCS12 and a password.

---

A small side is not on the signature, a signature of certificate (fingerprint), also known as the name of a digital signature is a hash of the certificate encrypted with the signer's private key. As we know, whatever it is encrypted with a key only can be decrypted by the public key... all those who approves the signer's public key. So when you receive the certificate, and you already trust the signer, then 1) to decrypt the signature and 2) check that your certificate hash table corresponds to the decrypted hash... If the decrypted hash does not match then you do not trust the certificate.

For example, you can watch the certificate for supportforums.cisco.com,

The topic is: CN = supportforums.cisco.com

The subject of sender (signatory) is CN = Akamai subordinate CA 3

Akamai subordinate CA 3 is an intermediate certification authority. It is not self-signed

CN = Akamai subordinate CA 3 issuer is CN = GTE CyberTrust Global Root

CN = GTE CyberTrust Global Root is a certificate root (Self signed).

We would like to install this entire chain in the ASA so that we can provide this certificate and chain to any device and safely as long as this device trusts CN = GTE CyberTrust Global Root, then it should be able to verify the signatures of the intermediary and, finally, our certificate of identity of us trust.

---

Looking for another post to do a quick discussion about how the certificate is used in ISAKMP and IPSec.

Kind regards
Craig

Cisco ASA 5505 and comodo SSL certificate

Hey all,.

I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

What I'm missing here? I can post config if anyone needs.

(My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

Thank you

Bad Boy

Cisco ASA - ASDM will not launch (Please wait while the certificate information to be retrieved)

I have a problem with a Cisco ASA 5505. ASA 9.0 (3) / ASDM 7.4 (1).

I did a factory reset, format flash, all copied from tftp.

Config copied from another SAA. Subsequently changed the host name entries.

connect host name

Crypto ca trustpoint ASDM_TrustPoint0
name of the object CN =connect
Crypto ca trustpoint ASDM_TrustPoint1
name of the object CN =connect

ASA works very well and the home tabs & follow-up in the works of the ASDM, but I'm not able to work on the configuration using ASDM :(

When I go to the Configuration tab, I get this message (which remains forever):

Please wait while the certificate information to be retrieved

I tried a 'webvpn all come back' and backup/reloading. Did not help.

Error message and flash content - see photo attached.

Suggestions are greatly appreciated.

ARO

Nils

HI Nils,

Please use the asdm 7.4.2 who has a lot of bugs.

Thank you

VR

CSCux29978 - Cisco ASA IKEv1 and IKEv2 buffer overrun vulnerability - 1

Hello

im confused. In the Advisory secruity on this bug https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

He said not "affected" in the line of the main version of ASA 9.1. 9.1 is so affected by this bug and we need to upgrade to 9.1. (7) or not?

regarding

Christian

Hi Christian,

According to the chart, the only version not affected is code 8.5 9.1 code, you must update to 9.1.7 to be safe from this vulnerability.

Cisco ASA Major Release	First version fixed
7.2¹	Affected; migrate to 9.1 (7) or later version
8.2¹	Affected; migrate to 9.1 (7) or later version
8.3¹	Affected; migrate to 9.1 (7) or later version
8.4	8.4 (7.30)
8.5¹	Not affected
8.6¹	Affected; migrate to 9.1 (7) or later version
8.7	8.7 (1.18)
9.0	9.0 (4.38)
9.1	9.1 (7)
9.2	9.2 (4.5)
9.3	9.3 (3.7)
9.4	9.4 (2.4)
9.5	9.5 (2.2)

It may be useful

-Randy-

Cisco ASA with Microsoft CA but arrive CRL

Hi all

I'm going through the old VPN IPsec of Cisco AnyConnect VPN. We want to keep two-factor authentication, so I install a Microsoft stand-alone certification authority (cannot use local ASA CA as we have two units of the SAA in failover). MS it works very well, I delivered the of CA root certificate to the ASA and not issued certificates of the certification authority for client computers that connect using AnyConnect no problem.

My problem is that everything I try I can not get the ASA to retrieve the Revocation list. Many guides, I followed the State that you just add the CRL to the certificate root, then the SAA should pick this up by using the option "use CRL Distribution Point certificate." I tried also manually add LDAP url and try recovery like that (although I don't know about the url I used) and I always get just "cannot retrieve or check the Revocation list. Does anyone have any experience with this or know what I'm doing wrong?

Thank you

Rob

You have the right URL in the certificate? I have seen so many times that the CDP has been incorrectly configured with only a host name instead of a FULL domain name that does not able to solve the modem-router VPN.

L2l with certificates between 2 ASAs

Hi all

I want to set up a VPN L2L/Site-to-site tunnel, which authenticates by using certificates.

In fact I am following this guide-> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

I configured the tunnel group on both ends, with the trustpoint configured, authenticated and accepted specified.

I correspondent isakmp policies at both ends, and of course my cryptographic cards contains 3 identical lines - set peer match access-list and transformation-a set cryptomap. Next to those, there are 2 identical lines for life. I haven't specified the trustpoint in encryption card while it is not indicated in the top link (guide) to do, even if I tried, without different result. Debugs him happens exactly the same each time:

Debug the cry isa 10: (on the remote end)

TEST-ASA-RA # debug cry isa 10

TEST-ASA-RA # Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 208

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, SA payload processing

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Oakley proposal is acceptable

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received NAT-Traversal worm 02 VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, worm received 03 NAT-Traversal, VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received NAT - Traversal RFC VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received Fragmentation VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: true

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IKE SA payload processing

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, build the payloads of ISAKMP security

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, construction of Fragmentation VID + load useful functionality

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4) NUNCIO (10) + CERT_REQ (7) + CERT_REQ (7) seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 374

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, processing ke payload

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing ISA_KE

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, nonce payload processing

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment certificate request payload

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment certificate request payload

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, the customer has received Cisco Unity VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received xauth V6 VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment VPN3000 / ASA payload IOS Vendor ID theft (version: 1.0.0 capabilities: 20000001)

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received Altiga/Cisco VPN3000/Cisco ASA GW VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, building ke payload

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, building nonce payload

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, building certreq payload

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, build payloads of Cisco Unity VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, constructing payload V6 VID xauth

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Send IOS VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilities: 20000001)

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, build payloads VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Generating keys for answering machine...

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) NUNCIO (10) + CERT_REQ (7) seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 298

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, RRs would fragment a new set of fragmentation. Removal of fragments of old.

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, assembled with success an encrypted pkt of RRs would be fragments!

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + GIS (9) + IOS KEEPALIVE (128) + CERT (6), SELLER (13) + (0) NONE total length: 1987

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing ID

Jul 07 11:36:18 [IKEv1 DECODER]: IP = 80.62.240.136, ID_IPV4_ADDR received ID

80.62.240.136

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing cert

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment of RSA signature

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, calculation of hash for ISAKMP

Jul 07 11:36:18 [IKEv1 DECODER]: Dump of Signature received, len 256:

0000: 8D97FE83 CDA9CEB2 A5D7F63F 0FAA76A4...? ... c.

0010: 21F229A8 2A714C2D 12F16ABF 08E44664!.). *... qL j... FD

0020: 0D95A510 0AFFA63B 815CCBB0 B7C708CF...; \......

0030: 31246316 0E93E084 59395461 118C 9251 $1 c... Y9Ta... Q

0040: 823A36CB 55F2F59C 3342326D 251F8B7A. : 6.U... 3B2m %... z

0050: B9C9F916 C403A4D1 59DA3AA8 932312C 0... Y.:.. #..

0060: 88476460 E9C9A07C 5671C18D A9202382. GD'... | DV... #.

0070: 441F47AF 74E407B1 DB06B929 406E993D D.G.t...) @n. =

0080: A7C149FA 1677D1A2 E3105356 4E205E45... I have... w... SVN ^ E

0090: 06D2CB2A B6BF638E 0910283C 7FF6BAE2... *... c... (<>

00 to 0: 3F97ADF5 19B 78872 69C0346B 7EF89FAE?... ri.4k... ~

00B 0: 456E26CF 52CC296B 11F6AE68 2498024C en &. R) k...h$... L

00C 0: 74658112 you 16121A 68 h

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IOS treatment keep alive payload: proposal = 32767/32767 sec.

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID

Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, DPD received VID

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, trying to find the group via IKE ID...

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, connection landed on tunnel_group 80.62.240.136

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, ID type homologous 1 received (IPV4_ADDR)

Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, identity of IKE for peer name incompatibility Cert subject Alt

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, case of mistaken IKE MM Responder WSF (struct & 0xd3dcecf0) , : MM_DONE, EV_ERROR--> EV_COMPARE_IDS--> MM_BLD_MSG6, MM_BLD_MSG6, NullEvent--> MM_BLD_MSG6, EV_VALIDATE_CERT--> MM_BLD_MSG6, EV_UPDATE_CERT--> MM_BLD_MSG6, EV_TEST_CERT--> MM_BLD_MSG6, EV_CHECK_NAT_T, EV_CERT_OK--> MM_BLD_MSG6

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, IKE SA MM:1e531705 ending: 0x0100c002, refcnt flags 0, tuncnt 0

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, sending clear/delete with the message of reason

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, payload of empty hash construction

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, constructing the payload to delete IKE

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, build payloads of hash qm

Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE SEND Message (msgid = 5a228b67) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, Removing peer to peer table does not, no match!

Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, error: cannot delete PeerTblEntry

Jul 07 11:36:26 [IKEv1]: IP = 80.62.240.136, invalid header, lack of payload SA! (next payload = 132)

Jul 07 11:36:26 [IKEv1]: IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

Jul 07 11:36:26 [IKEv1]: IP = 80.62.240.136, invalid header, lack of payload SA! (next payload = 132)

Jul 07 11:36:26 [IKEv1]: IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

Jul 07 11:36:26 [IKEv1]: IP = 80.62.240.136, invalid header, lack of payload SA! (next payload = 132)

Jul 07 11:36:26 [IKEv1]: IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

Then, it waits a bit and start over. No matter if I am trying to establish the tunnel network or remote endpoint - there is no difference in the result.

I made a line of debug output "BOLD" - I don't the have not seen this before, don't think that devices Cisco used this alternative area? Thought it was Microsoft?

1 thing is a reference to the certificates - I use my won Microsoft PKI based on 2003 servers. I have 1 Root CA and 2 subordinates. The root CA is stopped. During the construction of my trustpoints, I start to do my request, give it to one of subordinates, gets my identity certificate and save it on my computer. Then check the chain, which looks always good - RootCA-> SubordinateCA-> ClientCert. Then I extracted the subordinate cert, to authenticate my trustpoint and finally I import the certificate of identity. No complaints, it of all good - and actually working like a charm for my EZVPN configurations.

So I do not think the problem it's with the certificates, although the release said that there is an incompatibility with the other name in question.

The debugging online after this statement, I understand not quite - maybe someone can help me with this? Because right after this line, he begins to destroy the tunnel.

I can provide from configs if necessary, but really, it corresponds to the configuration contained in the guide.

/ Peter

Can you check the "crypto isakmp identity" command on both sides? He looks like a side sends the IP, when it expected the certificate DN is the name so it can match the value in the cert.

Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, ID type homologous 1 received (IPV4_ADDR)

Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, identity of IKE for peer name incompatibility Cert subject Alt

-Jason

move the SSL Cert from one device to another on Cisco ASA

Hi all

Is it possible to have a certificate SSL + key of a cisco asa to another? I hope its possible and if anyone can guide me to fix the documentation that would be perfect.

Thank you

Manish

Hello

This document will do it for you

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00809fcf91.shtml#copycert

Check the How to copy one ASA to another SSL certificates

Kind regards

Any other questions... Sure... Be sure to note all my answers.

Using IKEv2 from Microsoft with Cisco ASA

Hello

I just want to confirm something, if I can put this issue to rest.

We have a Cisco ASA 5505 running OS 8.4

For remote access, we have the configuration of SSL VPN to include IPSec (IKEv2).

With the help of our AnyConnect client works. No problem.

The issue is on my Windows 7 computer when I place a remote access profile I choose IKEv2 (PPTP or L2TP/IPSec). However, this does not work.

It error to say that he "cannot find a matching policy. I'm assuming what he mean't he couldn't find any political IKE. I have added other policies of IKE, which has find a match, but ASA connects the barks by saying "IKE neogoiation fails in search of a certificate or a preshared key".

There is no option for inputing a pre-shared for IKEv2 on Windows 7 with its profile.

Therefore, I think that on the ASA 5505 IKEv2 is only used for remote access with the AnyConnect client (or the client AnyConnect Secure Mobility) and NOT with other clients like Microsoft IKEv2.

Is this really the case? Or can I use IKEv2 integrated with Windows 7 to access remotely the ASA 5505 enabled for IKEv2 for remote access (and not as a site-based virtual private network)? If so how did you get it to work. It is an empty topic of discussion on the Internet.

Thank you!

-rya

Hi Rya,

I don't think there are changes to this recently but ASA doesn't work with anyconnect with IKEv2.

I recently wrote about this in my blog

https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2011/02/08/ASA-84-IPSec-VPN--whats-new
(Point 4)

Frankly I did not follow developments of this features recently, so I might have missed something.

Marcin

False claims RADIUS of customer VPN Cisco ASA 5510

Hello world

I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

What is the source of such behavior?

The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

Debugging of ASA:

-First application-

RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

-The second request-

RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

GBA debug:

-First application-

AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

-The second request-
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

The ASA config:

Crypto ikev1 allow outside
Crypto ikev1 allow inside
IKEv1 crypto ipsec-over-tcp port 10000
life 86400
IKEv1 crypto policy 65535
authentication rsa - sig
3des encryption
md5 hash
Group 2
life 86400

!

internal Cert_auth group strategy
attributes of Group Policy Cert_auth
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list aclVPN2
the address value vpnpool pools
rule of access-client-none

!

attributes global-tunnel-group DefaultRAGroup
address (inside) vpnpool pool
address vpnpool pool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
Group Policy - by default-Cert_auth

!

RADIUS protocol AAA-server RADIUS01
AAA-server host 10.2.9.224 RADIUS01 (inside)
key *.
RADIUS-common-pw *.
AAA-server host 10.4.2.223 RADIUS01 (inside)
key *.

Hello

It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

If you remove this line:

authorization-server-group RADIUS01

you will see that it starts to work properly

In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

HTH

Herbert

How to configure ASDM Cisco ASA 5505

I have a Cisco ASA 5505 firewall, and currently it is a command-line firewall. I want to configure ASDM so that I can use it as a Web based GUI interface.

I don't really know what to do. Can someone help me please how I can configure ASDM on my firewall.

Kind regards

Naushad Khan

Hi Naushad,

First of all, must load the image ASSDM on SAA and then use the command:

ASDM image dosk0: / asdm645.bin (if the image name is asdm645.bin)

then:

Enable http server

http 10.0.0.0 255.0.0.0 inside (if your machine is 10.0.0.0 subnet behind inside the inetrafce)

Go to the machine, open a browser and type:

https://

It will open the GUI.

Thank you

Varun

Please evaluate the useful messages.

Cisco ASA 5500 Series 4-Port GE SSM

Currently, we have 2 asa 5510 firewall and need to add the

Cisco ASA 5500 Series 4 - Port GE SSM extension module. Can it be added when the device is turned on and running or the firewall must be turned off to install the plug-in?

Hello

You could try to ask this question of the team of firewall, as this page from the community for the physical security and video surveillance. The team of firewall is located here:

https://supportforums.Cisco.com/community/NetPro/security/firewall

Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

One way is not good and the other real harm.

Migrate certificates on Cisco ASA

Similar Questions

Maybe you are looking for