Site-to-Site VPN Setup Using PKI

ASDM supports VPN tunnels using RSA signatures (PKI) for IKE authentication. Before a site-to-site tunnel can be set up, ASDM must have knowledge of the preinstalled certificates. If certificates are not installed on Cisco ASA, you need to follow the steps discussed in this section to retrieve both root and identity certificates from the certificate authority (CA). Figure 21-11 illustrates two Cisco ASA set up for a site-to-site tunnel using PKI. The CA server resides on the outside interfaces of Cisco ASA at

Figure 21-11. Site-to-Site Tunnel Using PKI

Most steps in setting up a site-to-site tunnel using PKI are identical to those discussed in the previous section. The following steps are used to retrieve the certificates from a CA server:

Step 1.

Generate the RSA keys.

If Cisco ASA does not have RSA keys generated, or if you want to create new keys, choose Configuration > Features > Device Administration > Certificate > Key Pair and click Add to create a new set of keys, as shown in Figure 21-12. ASDM prompts you to specify a label for the keys or to use the default RSA key name. Additionally, you can select the modulus size and the usage of the key. A modulus size of 1024 bits is selected in this example.

Figure 21-12. Generating the RSA Keys


Step 2.

Configure the trustpoint.

The next step after generating the RSA keys is to configure the PKI trustpoint. A trustpoint declares a CA server and creates a device identity based on the certificate issued by the CA. Choose Configuration > Features > Device Administration > Certificate > Trustpoint > Configuration to create a trustpoint. Click Add to define a trustpoint, called ChicagoPKI in the example, and go through the enrollment process, as shown in Figure 21-13. In the Key Pair field, the administrator is using the default RSA keys that were generated in Step 1. The enrollment mode is set to automatic, in which Cisco ASA submits a PKI request dynamically using the Simple Certificate Enrollment Protocol (SCEP). The enrollment URL guides Cisco ASA to submit the request at

Figure 21-13. Setting Up an Enrollment URL



Each CA server vendor uses a different enrollment URL. Please consult the CA server documentation for the correct syntax.

You can optionally set the Fully Qualified Domain Name (FQDN) and Distinguished Name (DN) for the certificates. Click the Certificate Parameters button to specify the FQDN or DN or both, as shown in Figure 21-14, where a DN with an attribute of Common Name (CN) Chicago is being configured.

Figure 21-14. Specifying a DN


Step 3.

Set up CRLs.

A certificate revocation list (CRL) is a list of all the certificates that have been revoked by the CA server's administrator. Cisco ASA can use this list to validate a certificate received from the VPN peer. If the received certificate has already been revoked, Cisco ASA denies the IKE negotiation. Cisco ASA can either use the CRL distribution point (CDP) from the certificate or use the statically configured one. In Figure 21-15, Cisco ASA is relying on the CDP embedded in the certificate.

Figure 21-15. Specifying the CDP

Cisco ASA supports three protocols for retrieving the CRL from the CA servers:




Click the CRL Retrieval Method tab to select at least one of the protocols. In Figure 21-16, the administrator is using HTTP and SCEP as the CRL retrieval protocols.

Figure 21-16. Specifying the CRL Retrieval Protocols

The Advanced tab enables you to specify the CRL checking and caching timers. You can choose to require CRL checking for all the received certificates, as shown in Figure 21-17. In this example, the administrator has also enabled Enforce Next CRL Update, which requires having a valid and nonexpired next update value.

Figure 21-17. Setting Advanced Trustpoint Attributes


Step 4.

Authenticate and enroll in the CA server.

For a successful PKI implementation, Cisco ASA needs to receive both the root certificate and the identity certificate from the CA server. Choose Configuration > Features > Device Administration > Certificate > Authentication to request the root certificate. Click Authenticate after selecting the configured trustpoint to submit a request, as shown in Figure 21-18.

Figure 21-18. Requesting Root Certificate

To request an identity certificate, choose Configuration > Features > Device Administration > Certificate > Enrollment and click Enroll, as shown in Figure 21-19.

Figure 21-19. Requesting Identity Certificate



It is recommended to verify the fingerprint of the received CA certificate with the fingerprint on the CA server to ensure that the CA certificate has not been compromised.

Step 5.

Select a certificate for the site-to-site tunnel.

Once the CA administrator approves the requested certificate, Cisco ASA loads it in flash and allows it to be used for the VPN connections. Using the site-to-site VPN Wizard, you can select an available certificate for IKE authentication in the Remote Site Peer window, as shown in Figure 21-20.

Figure 21-20. Selecting Certificates for VPN Tunnels


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: