Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
This section demonstrates how to configure the Cisco ASA to terminate Cisco VPN client IPSec connections using certificates. The configuration steps to configure remote-access VPNs using preshared keys are covered in Chapter 16, "Remote Access VPNs." Figure 17-7 illustrates the topology and components used in the following example.
Figure 17-7. Remote-Access VPN Using Certificates
In Figure 17-7, remote-access users using the Cisco VPN Client connect to the Cisco ASA to access the corporate internal resources in Chicago. The clients and the Cisco ASA obtain certificates from the CA server 209.165.202.130. The steps necessary to enroll the Cisco ASA to the CA server are the same as those demonstrated previously in this chapter. The following subsection demonstrates how to enroll the Cisco VPN with the CA server.
Enrolling the Cisco VPN Client
The Cisco VPN client has the ability to enroll to a CA server via either SCEP or manual (file based) enrollment. Click the Certificates tab on the VPN Client to configure the enrollment parameters. Figure 17-8 shows the Certificates tab of the Cisco VPN Client.
Figure 17-8. Cisco VPN Client Certificates Tab
Note
The Certificates tab toolbar is only viewable in advanced mode. Running the VPN Client in simple mode will not show these options. To change from simple mode to advanced mode, choose Options > Advanced Mode.
Note
To enroll and manage personal certificates in Cisco VPN Client version 3.x and earlier, use the Certificate Manager application included with the Client. This section concentrates on versions 4.x and later.
The Cisco VPN Client toolbar displays the tasks you can execute from the Certificates tab. Table 17-3 lists all the toolbar options and their usage.
|
Option |
Description |
|---|---|
|
View |
Shows the details of a selected certificate. Information includes validity period, issuer information, and distinguish name information such as CN, OU, O, etc. |
|
Import |
Used to import a certificate from a file or certificate store. |
|
Export |
Used to export a selected certificate. |
|
Enroll |
Used to begin enrollment process. |
|
Verify |
Used to check if the selected certificate is valid (not expired). |
|
Delete |
Deletes the selected certificate or certificate request |
SCEP provides an easy mechanism to enroll the Cisco VPN Client. The following are the necessary steps to enroll the Cisco VPN Client via SCEP.
|
Step 1. |
Click the Enroll button on the toolbar. The VPN Client Certificate Enrollment window is displayed, as shown in Figure 17-9. Figure 17-9. Cisco VPN Client Certificate Enrollment Window
|
|
Step 2. |
Select Online as the certificate enrollment type. |
|
Step 3. |
Enter the CA URL, domain, and challenge password (if applicable) and click Next. Various CA servers require the user to provide a password during enrollment. The Cisco VPN Client allows you to enter the password in the Challenge Password field. This password is provided by the CA administrator. The New Password option is used for the password that protects this certificate. If your connection entry requires certificate authentication, you must enter this password each time you connect. |
|
Step 4. |
The VPN Client Certificate Enrollment information form is displayed, as shown in Figure 17-10. Figure 17-10. Cisco VPN Client Certificate Enrollment Form
This form allows you to enter the information to be included in the certificate request. After you enter the necessary information, click Enroll to send the certificate enrollment request to the CA server via SCEP. The following are the parameters you can specify on the certificate request: - Name [CN] The unique common name (CN) for the user certificate. This can be the name of a user, system, or other entity. This field is required. The CN of RemoteUser is used in this example. Note By default, the Cisco ASA matches the OU with the VPN group name. Other DN fields can also be used for this purpose. - Company [O] The name of the company or organization to which the user belongs. secureme is used in this example. - State [ST] The name of the state. Illinois (IL) is used in this example. - Country [C] A two-letter country code. US is used in this example. - Email [E] User's e-mail address (nobody@securemeinc.com is used in this example). - IP Address The IP address of the user's system. It is recommended that you do not use this field if the system's IP address will change (for example, DHCP). - Domain The domain name to which the user's system belongs. This example uses securemeinc.com. |
|
Step 5. |
The Cisco VPN Client sends the enrollment request to the CA server. After the certificate is granted, the Cisco VPN Client stores it on the Cisco certificate store, as shown in Figure 17-11. Figure 17-11. Cisco VPN Client Certificate Information 
|
Configuring the Cisco ASA
Complete the following steps after you have enrolled the Cisco ASA to the CA server. Example 17-23 shows the ISAKMP policy configuration of the Cisco ASA.
Example 17-23. ISAKMP Policy for Remote-Access VPN
isakmp identity hostname isakmp enable outside isakmp policy 1 authentication rsa-sig isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400
The shaded line in Example 17-23 shows how the ISAKMP authentication type is set to rsa-sig for certificate authentication.
Example 17-24 shows the crypto map configuration to dynamically terminate remote-access VPN client connections.
Example 17-24. Dynamic Crypto Map Configuration for Remote-Access VPN
crypto ipsec transform-set chicagotrans esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set chicagotrans crypto map chicagomap 65525 ipsec-isakmp dynamic dynmap crypto map chicagomap interface outside
The commands in Example 17-24 are the same as those covered in Chapter 16 while using preshared keys. Example 17-25 demonstrates the VPN tunnel-group configuration parameters.
Example 17-25. Tunnel-Group Configuration for Remote-Access VPN
tunnel-group SALES type ipsec-ra tunnel-group SALES general-attributes address-pool ippool authentication-server-group LOCAL tunnel-group SALES ipsec-attributes peer-id-validate cert trust-point chicago
The first shaded line in Example 17-25 makes the Cisco ASA validate the identity of the VPN client using the peer's certificate. The second shaded line associates the group with the configured trustpoint.
The name of the VPN group in Example 17-25 is SALES. This matches the OU value from the client's certificate. By default, the Cisco ASA binds the client connection to a specific group using the OU value. However, you can use any DN certificate information to associate the client to a respective group. This is similar to the Cisco VPN 3000 Concentrator certificate DN matching feature.
To configure the Cisco ASA to associate a VPN client connection using the peer's certificate DN information, you can use the tunnel-group-map command in combination with a certificate map. Example 17-26 demonstrates how to configure the Cisco ASA to associate any VPN clients on which its certificate has an e-mail address containing securemeinc.com to the VPN group named SALES.
Example 17-26. DN Matching Example
crypto ca certificate map 10 ! A certificate map is created with a sequence number of 10 subject-name attr ea co securemeinc.com !The Cisco ASA is configured to match the email address (ea) of the client's !certificate. Any certificates that contains securemeinc.com in the email address field will be associated to the specified group. tunnel-group-map enable rules ! A tunnel-group-map is enabled to match the previously defined rules. tunnel-group-map 10 SALES !The certificate map 10 is associated to the VPN group SALES.
The following are all the available DN attributes available:
- c Country
- cn Common name
- dnq DN qualifier
- ea E-mail address
- genq Generational qualifier
- gn Given name
- i Initials
- ip IP address
- l Locality
- n Name
- o Organization name
- ou Organizational unit
- ser Serial number
- sn Surname
- sp State/province
- t Title
- uid User ID
- uname Unstructured name
The following are the operands that can be used with the subject-name subcommand under the certificate map:
- co Contains
- eq Equal
- nc Does not contain
- ne Not equal
Part I: Product Overview
Introduction to Network Security
- Introduction to Network Security
- Firewall Technologies
- Intrusion Detection and Prevention Technologies
- Network-Based Attacks
- Virtual Private Networks
- Summary
Product History
- Product History
- Cisco Firewall Products
- Cisco IDS Products
- Cisco VPN Products
- Cisco ASA All-in-One Solution
- Summary
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
- Initial Setup and System Maintenance
- Accessing the Cisco ASA Appliances
- Managing Licenses
- Initial Setup
- IP Version 6
- Setting Up the System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Network Access Control
- Network Access Control
- Packet Filtering
- Advanced ACL Features
- Content and URL Filtering
- Deployment Scenarios Using ACLs
- Monitoring Network Access Control
- Understanding Address Translation
- DNS Doctoring
- Monitoring Address Translations
- Summary
IP Routing
Authentication, Authorization, and Accounting (AAA)
- Authentication, Authorization, and Accounting (AAA)
- AAA Protocols and Services Supported by Cisco ASA
- Defining an Authentication Server
- Configuring Authentication of Administrative Sessions
- Authenticating Firewall Sessions (Cut-Through Proxy Feature)
- Configuring Authorization
- Configuring Accounting
- Deployment Scenarios
- Troubleshooting AAA
- Summary
Application Inspection
- Application Inspection
- Enabling Application Inspection Using the Modular Policy Framework
- Selective Inspection
- Computer Telephony Interface Quick Buffer Encoding Inspection
- Domain Name System
- Extended Simple Mail Transfer Protocol
- File Transfer Protocol
- General Packet Radio Service Tunneling Protocol
- H.323
- HTTP
- ICMP
- ILS
- MGCP
- NetBIOS
- PPTP
- Sun RPC
- RSH
- RTSP
- SIP
- Skinny
- SNMP
- SQL*Net
- TFTP
- XDMCP
- Deployment Scenarios
- Summary
Security Contexts
- Security Contexts
- Architectural Overview
- Configuration of Security Contexts
- Deployment Scenarios
- Monitoring and Troubleshooting the Security Contexts
- Summary
Transparent Firewalls
- Transparent Firewalls
- Architectural Overview
- Transparent Firewalls and VPNs
- Configuration of Transparent Firewall
- Deployment Scenarios
- Monitoring and Troubleshooting the Transparent Firewall
- Summary
Failover and Redundancy
- Failover and Redundancy
- Architectural Overview
- Failover Configuration
- Deployment Scenarios
- Monitoring and Troubleshooting Failovers
- Summary
Quality of Service
- Quality of Service
- Architectural Overview
- Configuring Quality of Service
- QoS Deployment Scenarios
- Monitoring QoS
- Summary
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
- Intrusion Prevention System Integration
- Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)
- Directing Traffic to the AIP-SSM
- AIP-SSM Module Software Recovery
- Additional IPS Features
- Summary
Configuring and Troubleshooting Cisco IPS Software via CLI
- Configuring and Troubleshooting Cisco IPS Software via CLI
- Cisco IPS Software Architecture
- Introduction to the CIPS 5.x Command-Line Interface
- User Administration
- AIP-SSM Maintenance
- Advanced Features and Configuration
- Summary
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
- Site-to-Site IPSec VPNs
- Preconfiguration Checklist
- Configuration Steps
- Advanced Features
- Optional Commands
- Deployment Scenarios
- Monitoring and Troubleshooting Site-to-Site IPSec VPNs
- Summary
Remote Access VPN
- Remote Access VPN
- Cisco IPSec Remote Access VPN Solution
- Advanced Cisco IPSec VPN Features
- Deployment Scenarios of Cisco IPSec VPN
- Monitoring and Troubleshooting Cisco Remote Access VPN
- Cisco WebVPN Solution
- Advanced WebVPN Features
- Deployment Scenarios of WebVPN
- Monitoring and Troubleshooting WebVPN
- Summary
Public Key Infrastructure (PKI)
- Public Key Infrastructure (PKI)
- Introduction to PKI
- Enrolling the Cisco ASA to a CA Using SCEP
- Manual (Cut-and-Paste) Enrollment
- Configuring CRL Options
- Configuring IPSec Site-to-Site Tunnels Using Certificates
- Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
- Troubleshooting PKI
- Summary
Part V: Adaptive Security Device Manager
Introduction to ASDM
- Introduction to ASDM
- Setting Up ASDM
- Initial Setup
- Functional Screens
- Interface Management
- System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Firewall Management Using ASDM
- Firewall Management Using ASDM
- Access Control Lists
- Address Translation
- Routing Protocols
- AAA
- Application Inspection
- Security Contexts
- Transparent Firewalls
- Failover
- QoS
- Summary
IPS Management Using ASDM
- IPS Management Using ASDM
- Accessing the IPS Device Management Console from ASDM
- Configuring Basic AIP-SSM Settings
- Advanced IPS Configuration and Monitoring Using ASDM
- Summary
VPN Management Using ASDM
- VPN Management Using ASDM
- Site-to-Site VPN Setup Using Preshared Keys
- Site-to-Site VPN Setup Using PKI
- Cisco Remote-Access IPSec VPN Setup
- WebVPN
- VPN Monitoring
- Summary
Case Studies
EAN: 2147483647
Pages: 231
