Cisco Security :: Configuring SSL Certificate On ASA 5520
Jun 20, 2011
I have a SSL certificate from a third party that is showing under the Identity in ADSM, howerver the audit scan of the firewall shows that the SSL Certificate Signed with an unknown certification Authority. I have installed the Intermediate Primary and Secondary Certificate from the third party under the CA Certificate of the ADSM however when I verify the SSL certificate it still shows as self-signed. What other steps do I miss. I have attached some screenshots.
View 2 Replies
ADVERTISEMENT
Oct 24, 2011
I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.In the connection profile i have set up that users should authenticate using both certificate and AAA.Due to a high security requirement, the user certificate is issued from a 3rd party. This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.Problem:If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
View 1 Replies
View Related
Mar 26, 2012
We currently are using the anyconnect client using certificates for authentication (ASA 5520 v8.4). It works pretty good but I can only get it to work on a profile basis on the clients laptops. We are running windows 7 and if multiple users need VPN i have to install the certificate for each user. I have changed the xml profile to read the certificate store to "all" and true for certificate store override. I am installing the certificate in the trusted root certificate store. Is there a way for the anyconnect to authenticate for all profiles (users) for the laptop?
View 0 Replies
View Related
Jun 21, 2012
I have a Cisco 5520 using ASDM 6.4
Currently my VPN settings use a shared key without certficate to access the VPN. I would like to now set up a self assigned certifcte from the ASA to get users to import the certficate in order to VPN..
View 1 Replies
View Related
May 28, 2012
I am setting up Clientless Anyconnect on ASA 5520. I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error. FYI I have the Primary Cert Authority Installed already?
View 1 Replies
View Related
Apr 18, 2012
I'm trying to export identity certificates from an ASA 5510 to 5520, I'm exporting in pkcs12 format and specifying a passphrase. When attempting to import to the 5520, I get "error import pkcs12 operation failed" from cli or asdm.
View 1 Replies
View Related
Oct 25, 2011
I have an issue when I´m trying to authenticate my iphone&blackberry device with ASA 5520 using certificates. It seems that certificates are working fine, pass the ike phase 1 but never complete the phase 2. When i use pres hared keys everything works fine with both devices.
If you consider necessary, i can provide my current configuration in asa.
View 2 Replies
View Related
Sep 21, 2012
I've got a Cisco 851 running IOS12.3. I'm trying to install a SSL Certificate but after following all the instructions and installing a CA certificate I'm not getting the full chain of authority in a browser just the devices certificate itself. I've repeated the installation process using individual CA certificates all up and down the chain but still the same results.
View 1 Replies
View Related
Feb 12, 2009
Is it possible to generate CSR using SH1 instead of md5 on Cisco 1841 for SSL VPN, because the provider that I try to use doesn't accept md5. Also tried to import there private key and got an error "Error: invalid PEM boundary"
View 4 Replies
View Related
Apr 15, 2011
We have the acs server which has the ssl certficate(certifcate authority) running in acs 3.2 windows version for eap-tls enduser authentication.
We want the same to be migrated to acs 4.2(appliance) application. I have tried in different ways to push the certificate but i couldn't.
I have tried Thru System Configuration --> ACS Certificate Setup --> Install ACS certificate --> Download certficate file In that i have mentioned the FTP server IP address, credentials, path and file name
But if i submit the request its giving the directory not found or credentials wrong.
In FTP logs its showing like this
Apr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 PASS welcome2acsApr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 230 User logged inApr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 FTP: Login successfulApr 15, 2011 19:41:55 Session 4, Peer
[Code].....
View 2 Replies
View Related
Sep 29, 2009
I am attempting to install a third party SSL cert (GoDaddy) to properly secure the external interface of my 1811 ISR so that I can implement SSL VPN. I have tried using SDM 2.5, but that doesn't appear to be working. I am familiar with doing this on a Cisco 3005 Concentrator, but I'm not aware of how to install an intermediate cert on the 1811 (or if it's even possible), in order to properly have the GoDaddy cert properly imported and used for SSL VPN. I have gone through the CSR process and have the initial cert from them generated and have imported it, but it never appears to be identified correctly if I browse to the external interface on the router. The router always defaults to its self-signed cert.
View 1 Replies
View Related
Feb 9, 2011
We have NAC 4.0.5 and windows active directory domain the clients log on to the client to access the network with their domain credentials and they used to get the "Certificate is issued from an untrusted." until I installed the url.. certificate to the local certificate store.
I seem to have done something on the NAC manager that messed up something, cause now the client considers the certificate issued from a trusted source, BUT a warning stating that the name on the certificate does not match the name.
View 1 Replies
View Related
Apr 17, 2013
I am having anyconnect version 3.1.03103, windows7 & 8 and asa 5520 (8.4). I have gone through alot of work to solve this issue but it not hapening. On clientless ssl vpn it prompts me for manual certificate selection but on anyconnect client it is not. profile configuration is mentioned below. In the highlighted line below i have changed UserControllable="true" still no results.
<?xml version="1.0" encoding="UTF-8"?>
-<AnyConnectProfile xsi:schemaLocation="[URL]" xmlns:xsi="[URL]" xmlns="[URL]">-<ClientInitialization>
[Code]....
View 0 Replies
View Related
Jul 11, 2012
i have a problem with some sites! i cant access to them ! some sites are hotmail, this one, and many other! the msg that i see every time is : There is a problem with this website's security certificate. The security certificate presented by this website has expired or is not yet valid.
[code]...
View 4 Replies
View Related
Dec 16, 2011
I have bought and installed a 2048bit certificate from Thawte on a ACE20-MOD-K9 module. The appliance can't use it and gives the following error: "This certificate cannot be verified up to a trusted certfication authority."I have contacted Thawte about this and they suggest to install an intermediate certificate from Thawte on the module, but I can't find such a certicicate for Cisco on their site. Also I'm not sure how to go about implementing such an intermediate certificate on the ACE.
View 1 Replies
View Related
Dec 15, 2012
We have an IAS (Internet Authentication Server) to authenticate all our network devices. This server is integrated with our local AD server so that we can use our domain credentials to login into the netwoerk devices. i have successfully configured all our L2 & L3 switches with IAS but facing issue with ASA 5520. Below is the config i have applied on ASA. When i am testing the authentication with IAS server, i am getting "Authentication Successful" message.
aaa-server AAA protocol radius
aaa-server AAA host 10.91.38.70
key *****
[Code]....
Also when i am trying to telnet the Firewall, i am directly getting password promt. I should first get the username promt wherein i can enter my domain username.
View 1 Replies
View Related
May 15, 2012
My issue occurs on ALL of my home computers (MacBook and iMac using wi-fi) and ALL of my browsers (Safari, Firefox, Chrome).The problem:- Security Certificates: They pop up daily for Facebook mostly, but also Twitter. I will click Continue, which takes me to...- 404 Error/Page Not Found Error: After the Certificate error mentioned above, this happens. Mostly to YouTube. It will stay like this for a few hours. I've cleared cache, rebooted, etc. etc. Nothing works.- Images turn into little blue boxes with a question mark in them. **When this happens, it's an indication that a Certificate box will pop up out of the blue.- Even on Google.com, it will say: Invalid URLThe requested URL "/", is invalid.Reference #9.df260e6b.1336506889.420cf4fSo what can I do? It happens on both my Macbook Pro and iMac - both connected wirelessly to a Linksys router/cable modem. The router is Wireless-N Broadband Router WRT160Nv3 with Firmware Version: v3.0.02.
View 1 Replies
View Related
May 14, 2011
I am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.
View 2 Replies
View Related
Jun 20, 2011
I present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?
View 3 Replies
View Related
May 28, 2012
I have some troubles configuring split-tunneling on ASA 5520.Number of remote users establish ipsec connection with ASA 5520 (in central office) using ubuntu vpnc-client.Split-tunneling is in use, to allow remote users to surf Internet using their ISP.The goal is to remove the possibility to ssh/telnet servers inside corporate LAN for remote users. [code]
There is nat enabled on interface, but there is special statement in nat0 ACL for 192.168.100.0 subnetwork access-list INSIDE_LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0.The problem is that remote users can easely ssh and telnet servers in INSIDE_LAN network. Whatever i put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in REMOTE_split ACL don't work either.
View 2 Replies
View Related
Jan 13, 2013
To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps:
Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
The following is a capture of the show version:
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
View 8 Replies
View Related
Jul 21, 2012
I configure the virtual MAC address for a interface on ASA 5520, will enter the following command on the active unit:
failover mac address Inside 0012.3456.789a 0023.4567.89ab
The active MAC address is of the same as the Inside's burned-in MAC address of the active unit.Similarly, the standby MAC address is of the same as the Inside's burned-in MAC address of the standby unit.Do I get the effect of failover mac address command?
View 1 Replies
View Related
Dec 18, 2011
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies
View Related
Jul 27, 2010
I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
I need to use 4 interfaces four data traffic
1- Inside
2- Outside
3- dmz-1
4- dmz-2
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
1- I used the management0/0 for The stateful failover.
2- I used gig 0 for outside
3- I used gig 1 for inside
4- I used gig 2 for dmz-1
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only
View 6 Replies
View Related
Sep 10, 2012
I have an ASA 5520 8.2(5) with ACS 5.1, I made the configutation of Authentication and is working well, now how I can configure the authorization and get into the privileged level 15 mode directly.
View 6 Replies
View Related
Nov 1, 2011
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
View 5 Replies
View Related
May 26, 2012
I have a 2811 ISR configured to provide the following services to my network:
Internet access to LAN users Cisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)? While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
View 3 Replies
View Related
Apr 5, 2013
I am facing a problem when configuring the ipsec vpn on my 7200 router. [code]
View 5 Replies
View Related
Apr 19, 2013
I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack) This is how I setup my remote access:
Code:
ssh 0.0.0.0 0.0.0.0 outside
View 8 Replies
View Related
Oct 21, 2007
I need to establish PPTP VPN to 877 modem/router from Internet.The VPN client is a Windows XP standard VPN client.I configured the router basing on the document: "Configuring the Cisco Router and VPN Clients Using PPTP and MPPE". url...And... It works quite nice BUT only when I use PAP protocol to authenticate the user.When I try to use 'MS-CHAP' or 'MS-CHAP v2' I get error 691 on the client side("Access was denied because the username an/or password was invalid on the doman.") [code]
View 5 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
Jul 30, 2011
I have an hp envy 17, running windows 7 64-bit, and I'm having a problem getting a program, KalemSoft Media Streamer, to work on my laptop, so I can stream my laptop media to my HP TouchPad. I traced the problem down to windows firewall: When windows firewall is disabled, I'm fine, but I want it to work while it's enabled as well. I tried to add it to the list of exceptions but nothing seems to work. I've attached a photo of the error message, i can change the base data and control TCP ports for kalemsoft (currently 5030 and 5031.
View 10 Replies
View Related
