On ASA 5520 SSL certificate configuration

Hello

I have an SSL certificate from a third party that shows under the identity of ADSM, howerver analysis of verification of the firewall shows that the SSL certificate is signed with an unknown certification Authority. I installed through primary and secondary certificate from the third party under the authority of certification the SMDA but when I check the SSL certificate it still shows as self-signed. Don't miss what other measures. I have attached a few screenshots.

Thank you for your help.

Wo

Hello

You have activated the correct trustpoint in Configuration > device management > advanced > component settings SSL? On this screen, there a "Certificates" section where you can select the trustpoint appropriate for each interface.

The trustpoint will reference the certificate that you imported, and the interface will reference this trustpoint. Until you activate, the ASA will continue to use the self-signed certificate.

Hope that helps.

-Mike

Tags: Cisco Security

Similar Questions

  • ASA 5520 - SSL VPN (Anyconnect) licenses

    Hello

    Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium.  Our current license looks like this:

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited
    VLAN maximum: 150
    Internal hosts: unlimited
    Failover: Active/active
    VPN - A: enabled
    VPN-3DES-AES: enabled
    Security contexts: 2
    GTP/GPRS: disabled
    SSL VPN peers: 2
    Total of the VPN peers: 750
    Sharing license: disabled
    AnyConnect for Mobile: disabled
    AnyConnect Cisco VPN phone: disabled
    AnyConnect Essentials: disabled
    Assessment of Advanced endpoint: disabled
    Proxy sessions for the UC phone: 2
    Total number of Sessions of Proxy UC: 2
    Botnet traffic filter: disabled

    This platform includes an ASA 5520 VPN Plus license.

    I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

    I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect.  The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

    Thank you

    Rob

    Hello

    The essentials license is per device and does not allow full-tunnel.

    If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

    Federico.

  • ASA 5520: SSL VPN by using a different IP address that the ASA public IP address

    Hi guys,.

    I'm trying to configure an SSL VPN on a Cisco ASA5520.

    Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.

    I don't not want to use a different port so to keep life easy for users.

    I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?

    Thank you

    Dario

    Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.

    The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.

  • SSL VPN using ASA 5520 mode cluster - several problems

    I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

    The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

    The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

    Any suggestions?

    To disable the drop-down menu, you can turn it off with the command

    WebVPN

    no activation of tunnel-group-list

    This will take care of your last issue.

    ***************************

    You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

    **************************

    Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

    *****************************

  • Cisco ASA 5505 and comodo SSL certificate

    Hey all,.

    I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

    Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

    On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

    What I'm missing here? I can post config if anyone needs.

    (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

    Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

    Thank you

    Bad Boy

  • Change of SSL/TLS group Diffie-Hellman on ASA 5520

    dh-group SSL control was introduced in 9.3 (2) which is not available to ASA 5520. Is others possible to force ssl vpn to use the diffie-hellman > 1024 bits on this system?

    Sorry miss-read the question.  As far as I know, we can't specify the Diffie-Hellman on the SAA group before 9.3 (2).

    --

    Please do not forget to select a correct answer and rate useful posts

  • ASA 5520 Active standby and ssl vpn loadbalancing

    I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?

    N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.

  • SNMP configuration on ASA 5520

    I was wondering if someone could provide me with basic configuration or a link to the basic configuration for the monitoring of SNMP on an ASA 5520.

    Thank you

    Chris

    SNMP-server host within the 192.168.1.185 community XXXXX

    ^ - Configures only host 192.168.1.185 can get snmp data

    Server SNMP community xxxxx

    ^ - open to everyone, if you want to

    location of Server SNMP-individuals

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Server enable SNMP traps syslog

    Server SNMP traps enable ipsec works stop

    Server enable SNMP traps entity config - change insert-fru fru - remove

    Server SNMP enable doors remote access has exceeded the threshold of session

    This should be the biggest part of what you need

  • The e-mail application does not connect to the Dreamhost servers. Perhaps because of how they configure their SSL certificate for their subdomains.

    http://wiki.DreamHost.com/Certificate_Domain_Mismatch_Error

    Certificate SSL of Dreamhost for their mail servers only at one level of subdomain while many of their clusters of e-mail exist on a second level subdomain. In my view, this translates into an error message 'bad security' of the e-mail application.

    I contacted DreamHost and they say they are unable to solve this problem, or that they will allow me to install an SSL certificate on my virtual domain pointing to my cluster e-mail (even if I had to buy a).

    I understand, it is possible to manually add certificates via adb in a way similar to this: http://www.pending.io/add-cacert-root-certificate-to-firefox-os/

    However what I read this: 1. does not work on the ZTE Open 2. Can only fix only navigation not the web mail client.

    Is there any option that is available to me short of switching hosts?

    Fabian,

    Are you familiar with Firefox OS? The reason why I say this is because the e-mail client cannot create an excaption certificate. In fact, it's design. It's design: https://wiki.mozilla.org/Gaia/Email/Features#Security

    This request for support to Mozilla was placed specifically for the product Firefox OS, for which there is only a single mail client.

    That said many people in the Mozilla Bugzilla, have been able to show me how to find another alias for those servers that actually works and in fact corresponds to SSL certificates. Although Dreamhost support could not provide me with any such information, and such information is not actually in the DreamHost wiki.

    I have a repeated insistence of Dreamhost possibility I should just live with the exceptions of SSL certificate, when there is real existing valid server names to match the certificates in question, silly.

    The fact that you post this solution for one product, so that it is not yet applicable beyond useless. It serves to muddy waters.

  • ASA uses that certificates self-signed after upgrade to 9.4.1

    I came across a strange issue after upgrade to 9.4.1... (from 9.3)

    However I access the ASA (browser, Anyconnect, etc.), it offers only a self-signed certificate even if an appropriate SSL certificate installed.

    I checked:

    SSL-trust VPN_Portal_TP point
    SSL-trust outside VPN_Portal_TP point
    SSL certificate authentication CAF-timeout 5
    interface outside port 443 SSL certificate authentication

    is configured.

    • CA is installed, too.
    • Reinstalled all certififcates.
    • Reassign the Trustpoints

    Any ideas would be greatly appreciated... Thank you!

    I did have time to test this out on my laboratory unit yet, but there's a thread related here.

    I'm not positive on the standard resolution immediately - it will bring close watch.

    Perhaps the first person to prosecute TAC may share the resolution.

  • ASA 5520 - VPN using LDAP access control

    I'm setting up an ASA 5520 for VPN access.  Authorization & authentication using an LDAP server.  I have successfully configured tunnel, and I can access internal resources.  What I want to do now is to limit access to a specific ad group membership.  In the absence of this belonging to a group, a user cannot access the VPN.

    My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version.  The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.

    The Version of the software on the SAA is 8.3 (1).

    My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group.  I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.

    https://supportforums.Cisco.com/message/3232649#3232649

    Thanking all in advance for everything offered thoughts and advice.

    Configuration (AAA LDAP, group policy and group of tunnel) is below.

    AAA-Server LDAP protocol ldap
    AAA-Server LDAP (inside) host x.x.y.12
    Server-port 636
    LDAP-base-dn dc = domain, dc = com
    LDAP-scope subtree
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
    enable LDAP over ssl
    microsoft server type
    LDAP-attribute-map LDAP_MAP
    AAA-Server LDAP (inside) host x.x.y.10
    Server-port 636
    LDAP-base-dn dc = domain, dc = com
    LDAP-scope subtree
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
    enable LDAP over ssl
    LDAP-attribute-map LDAP_MAP
    AAA-Server LDAP (inside) host x.x.y.11
    Server-port 636
    LDAP-base-dn dc = domain, dc = com
    LDAP-scope subtree
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
    enable LDAP over ssl
    microsoft server type
    LDAP-attribute-map LDAP_MAP

    AAA-Server LDAP (inside) host x.x.y.10
    Server-port 636
    LDAP-base-dn dc = domain, dc = com
    LDAP-scope subtree
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
    enable LDAP over ssl
    LDAP-attribute-map LDAP_MAP
    AAA-Server LDAP (inside) host x.x.y.11
    Server-port 636
    LDAP-base-dn dc = domain, dc = com
    LDAP-scope subtree
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
    enable LDAP over ssl
    microsoft server type
    LDAP-attribute-map LDAP_MAP
    !
    internal group NOACCESS strategy
    NOACCESS group policy attributes
    VPN - concurrent connections 0
    Protocol-tunnel-VPN IPSec webvpn
    address pools no
    attributes of Group Policy DfltGrpPolicy
    VPN - 10 concurrent connections
    Protocol-tunnel-VPN IPSec webvpn
    enable IPSec-udp
    vpn group policy - pro internal
    vpn - pro group policy attributes
    value x.x.y.17 x.x.y.27 WINS server
    Server DNS value x.x.y.19 x.x.y.29
    VPN - 50 simultaneous connections
    Protocol-tunnel-VPN IPSec svc
    group-lock value vpn - pro
    field default value domain.com
    value of address ip-vpn-pro pools
    WebVPN
    client of dpd-interval SVC no
    dpd-interval SVC 1800 bridge
    !

    attributes global-tunnel-group DefaultRAGroup
    LDAP authentication group-server
    LDAP authorization-server-group
    Group Policy - by default-vpn-pro
    authorization required
    type group tunnel vpn - pro remote access
    attributes global-tunnel-group-vpn - pro
    LDAP authentication group-server
    Group-server-authentication (LDAP outside)
    LDAP authorization-server-group
    Group Policy - by default-vpn-pro
    band-Kingdom
    password-management
    band-band
    authorization required
    type tunnel-group NOACCESSGROUP remote access
    attributes global-tunnel-group NOACCESSGROUP
    LDAP authentication group-server
    NOACCESS by default-group-policy

    Hello

    The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)

    The following link will explain how to set up the same.

    http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • ASA 5500 SSL VPN Failover license

    Hello

    I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

    His question is:

    Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

    This would also be true for two security contexts that are included with the firewall?

    For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

    Here is my response to his request:

    Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

    It was mentioned that:

    "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

    It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

    Thanks in advance!

    Ice Flancia

    Cisco partner Helpline Tier 2 team

    Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

    2 SSL included license on SAA in failover pair is combined as 4 license SSL.

    2 license of background on ASA in failover pair is combined as license frame 4.

    Here's the URL on ASA combined license failover:

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

    Hope that helps.

  • Is supported PPTP vpn cisco ASA 5520 firewall?

    Hi all

    I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn.

    Best regards

    MD.kamruzzaman

    Sorry, but the Cisco ASA firewall does not support PPTP VPN termination.

    You may terminate IPSec and SSL VPN but not of type PPTP.

    If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers.

  • See 4.5 Security server problems since installing SSL certificate

    I'm having some very strange problems with my view view connection Server 4.5 (front and back) running. I hope someone could shed some light on the problem, because I have tried everything I know to do this job properly.

    Before installing a certificate self-signed server of external connection again, I was running the default VMware certificate. Everything worked very well in this configuration. I installed a new self-signed certificate and now I'm having intermittent problems, the connection to the server:

    1. in the connection from a windows machine I CAN reach the site URL/HTTP to download the client from the view. Once I run the client to view I got the following error: failed connection to connect to the server view. Network error.

    2. I tried to connect via the IP address of the server, ensure that the external URL is correct (everything worked fine before the installation of the SSL certificate).

    3. completely removed security server and reinstalled, restart the services etc. Still not connect on some machines. Connecting from a Wyse compatible iPad still works, never a problem.

    4. If I connect the VPN of the company on the machine that does not work, then launches the Client to view and connect everything works as it should. When I disconnect the VPN and try to connect again, I can connect very well! So I need to connect to the VPN to connect to browse... its really weird. I checked DNS etc and everything is identical with the default certificate. I did so that machines that have problems approve the certificate and I also followed the Cisco ASA firewall logs, I do not see happneing anything different between periods of work and does not.

    Someone at - he never lived something along these lines or can think of anything I can try?

    Thank you!

    I came across this same thing.  The conflict is between the customer to view and your new self-signed SSL certificate.  More precisely the thing causing the problem is the version of the wininet.dll file provided with IE8.  The wininet.dll file provided with IE8 causes some kind of conflict with the customer view 4.5 (if using other SSL certificate that the server generated one) and will not allow the client to view 4.5 software to connect to your server security.  I reported this to VMware (2 weeks ago) so that they should be aware of the problem.

    If you remove your new SSL certificate and return to the one created by the display server then everything works perfectly again.  If you are using a machine with IE6 or IE7 XP remove IE8, it also works very well.  I tried taking the file wininet.dll from XP SP3 IE6 machine and restore this file after installing IE8 and everything seemed to work ok, but probably not the best solution.

    Bottom line is until VMware resolves the conflict with their client to view, you may not use any SSL certificate (other than that of the server is) If you are going to connect to windows machines running IE8 or newer.

  • How to accept a new ssl certificate in Thunderbird?

    7.15.15
    I can't get or send emails on my cell phone two days ago.
    - Neither the "Configuration Options for certificates" worked to bring in the certificate that I use that allows you to send and receive e-mail. Under the "Digital Signature" or "Encryption" when I press "Select" to select a certificate, I get the pop-up message "Certificate Manager cannot locate a valid certificate... ». When I press 'View certificates' certificate that I use is listed under 'Servers' and the 'authorities' and is up to date.
    -In addition, under Tools - Options - Advanced - certificates for: "when a server requests my personal certificate", I selected "Ask Me every time" and left "query OSCP responder servers to confirm...". ', the box is checked.

    I think that this problem is bound to accept a new ssl certificate has been recently renewed. I've never had this problem before. How to start accepting a new certificate?

    Thank you.

    No you can not communicate with the server using a common product of Mozilla. In a short while you will not be able to co interact with it with any product. The operator/administrator of the server needs to fix their server to issue certificates 1024-bit or better. Or stop using TLS.

    The best explanation of this change and it's because I've seen is here https://weakdh.org/
    (right at the bottom of the page is what you need to do stuff)

    In essence, that the server does not have a security flaw serious patched and Mozilla products have been modified to not interact with servers that have not corrected the vulnerability. Vulnerability leaves you open to man in the middle attack on piracy.

Maybe you are looking for