Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates

This section demonstrates how to configure the Cisco ASA to terminate Cisco VPN client IPSec connections using certificates. The configuration steps to configure remote-access VPNs using preshared keys are covered in Chapter 16, "Remote Access VPNs." Figure 17-7 illustrates the topology and components used in the following example.

Figure 17-7. Remote-Access VPN Using Certificates

In Figure 17-7, remote-access users using the Cisco VPN Client connect to the Cisco ASA to access the corporate internal resources in Chicago. The clients and the Cisco ASA obtain certificates from the CA server The steps necessary to enroll the Cisco ASA to the CA server are the same as those demonstrated previously in this chapter. The following subsection demonstrates how to enroll the Cisco VPN with the CA server.

Enrolling the Cisco VPN Client

The Cisco VPN client has the ability to enroll to a CA server via either SCEP or manual (file based) enrollment. Click the Certificates tab on the VPN Client to configure the enrollment parameters. Figure 17-8 shows the Certificates tab of the Cisco VPN Client.

Figure 17-8. Cisco VPN Client Certificates Tab


The Certificates tab toolbar is only viewable in advanced mode. Running the VPN Client in simple mode will not show these options. To change from simple mode to advanced mode, choose Options > Advanced Mode.


To enroll and manage personal certificates in Cisco VPN Client version 3.x and earlier, use the Certificate Manager application included with the Client. This section concentrates on versions 4.x and later.

The Cisco VPN Client toolbar displays the tasks you can execute from the Certificates tab. Table 17-3 lists all the toolbar options and their usage.

Table 17-3. Cisco VPN Client Certificates Tab Toolbar Options




Shows the details of a selected certificate. Information includes validity period, issuer information, and distinguish name information such as CN, OU, O, etc.


Used to import a certificate from a file or certificate store.


Used to export a selected certificate.


Used to begin enrollment process.


Used to check if the selected certificate is valid (not expired).


Deletes the selected certificate or certificate request

SCEP provides an easy mechanism to enroll the Cisco VPN Client. The following are the necessary steps to enroll the Cisco VPN Client via SCEP.

Step 1.

Click the Enroll button on the toolbar. The VPN Client Certificate Enrollment window is displayed, as shown in Figure 17-9.

Figure 17-9. Cisco VPN Client Certificate Enrollment Window


Step 2.

Select Online as the certificate enrollment type.

Step 3.

Enter the CA URL, domain, and challenge password (if applicable) and click Next. Various CA servers require the user to provide a password during enrollment. The Cisco VPN Client allows you to enter the password in the Challenge Password field. This password is provided by the CA administrator. The New Password option is used for the password that protects this certificate. If your connection entry requires certificate authentication, you must enter this password each time you connect.

Step 4.

The VPN Client Certificate Enrollment information form is displayed, as shown in Figure 17-10.

Figure 17-10. Cisco VPN Client Certificate Enrollment Form

This form allows you to enter the information to be included in the certificate request. After you enter the necessary information, click Enroll to send the certificate enrollment request to the CA server via SCEP. The following are the parameters you can specify on the certificate request:

- Name [CN] The unique common name (CN) for the user certificate. This can be the name of a user, system, or other entity. This field is required. The CN of RemoteUser is used in this example.

- Department [OU] Usually the name of the department to which the user belongs. SALES is used in this example.


By default, the Cisco ASA matches the OU with the VPN group name. Other DN fields can also be used for this purpose.

- Company [O] The name of the company or organization to which the user belongs. secureme is used in this example.

- State [ST] The name of the state. Illinois (IL) is used in this example.

- Country [C] A two-letter country code. US is used in this example.

- Email [E] User's e-mail address ( is used in this example).

- IP Address The IP address of the user's system. It is recommended that you do not use this field if the system's IP address will change (for example, DHCP).

- Domain The domain name to which the user's system belongs. This example uses

Step 5.

The Cisco VPN Client sends the enrollment request to the CA server. After the certificate is granted, the Cisco VPN Client stores it on the Cisco certificate store, as shown in Figure 17-11.

Figure 17-11. Cisco VPN Client Certificate Information


Configuring the Cisco ASA

Complete the following steps after you have enrolled the Cisco ASA to the CA server. Example 17-23 shows the ISAKMP policy configuration of the Cisco ASA.

Example 17-23. ISAKMP Policy for Remote-Access VPN

isakmp identity hostname

isakmp enable outside

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

The shaded line in Example 17-23 shows how the ISAKMP authentication type is set to rsa-sig for certificate authentication.

Example 17-24 shows the crypto map configuration to dynamically terminate remote-access VPN client connections.

Example 17-24. Dynamic Crypto Map Configuration for Remote-Access VPN

crypto ipsec transform-set chicagotrans esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set chicagotrans

crypto map chicagomap 65525 ipsec-isakmp dynamic dynmap

crypto map chicagomap interface outside

The commands in Example 17-24 are the same as those covered in Chapter 16 while using preshared keys. Example 17-25 demonstrates the VPN tunnel-group configuration parameters.

Example 17-25. Tunnel-Group Configuration for Remote-Access VPN

tunnel-group SALES type ipsec-ra

tunnel-group SALES general-attributes

 address-pool ippool

 authentication-server-group LOCAL

tunnel-group SALES ipsec-attributes

 peer-id-validate cert

 trust-point chicago

The first shaded line in Example 17-25 makes the Cisco ASA validate the identity of the VPN client using the peer's certificate. The second shaded line associates the group with the configured trustpoint.

The name of the VPN group in Example 17-25 is SALES. This matches the OU value from the client's certificate. By default, the Cisco ASA binds the client connection to a specific group using the OU value. However, you can use any DN certificate information to associate the client to a respective group. This is similar to the Cisco VPN 3000 Concentrator certificate DN matching feature.

To configure the Cisco ASA to associate a VPN client connection using the peer's certificate DN information, you can use the tunnel-group-map command in combination with a certificate map. Example 17-26 demonstrates how to configure the Cisco ASA to associate any VPN clients on which its certificate has an e-mail address containing to the VPN group named SALES.

Example 17-26. DN Matching Example

crypto ca certificate map 10

! A certificate map is created with a sequence number of 10

 subject-name attr ea co

!The Cisco ASA is configured to match the email address (ea) of the client's

!certificate. Any certificates that contains in the email address

 field will be associated to the specified group.

tunnel-group-map enable rules

! A tunnel-group-map is enabled to match the previously defined rules.

tunnel-group-map 10 SALES

!The certificate map 10 is associated to the VPN group SALES.

The following are all the available DN attributes available:

  • c Country
  • cn Common name
  • dnq DN qualifier
  • ea E-mail address
  • genq Generational qualifier
  • gn Given name
  • i Initials
  • ip IP address
  • l Locality
  • n Name
  • o Organization name
  • ou Organizational unit
  • ser Serial number
  • sn Surname
  • sp State/province
  • t Title
  • uid User ID
  • uname Unstructured name

The following are the operands that can be used with the subject-name subcommand under the certificate map:

  • co Contains
  • eq Equal
  • nc Does not contain
  • ne Not equal

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: