ASDM supports VPN tunnels using RSA signatures (PKI) for IKE authentication. Before a site-to-site tunnel can be set up, ASDM must have knowledge of the preinstalled certificates. If certificates are not installed on Cisco ASA, you need to follow the steps discussed in this section to retrieve both root and identity certificates from the certificate authority (CA). Figure 21-11 illustrates two Cisco ASA set up for a site-to-site tunnel using PKI. The CA server resides on the outside interfaces of Cisco ASA at 184.108.40.206.
Figure 21-11. Site-to-Site Tunnel Using PKI
Most steps in setting up a site-to-site tunnel using PKI are identical to those discussed in the previous section. The following steps are used to retrieve the certificates from a CA server:
Generate the RSA keys.
Figure 21-12. Generating the RSA Keys
Configure the trustpoint.
Figure 21-13. Setting Up an Enrollment URL
Each CA server vendor uses a different enrollment URL. Please consult the CA server documentation for the correct syntax.You can optionally set the Fully Qualified Domain Name (FQDN) and Distinguished Name (DN) for the certificates. Click the Certificate Parameters button to specify the FQDN or DN or both, as shown in Figure 21-14, where a DN with an attribute of Common Name (CN) Chicago is being configured.
Figure 21-14. Specifying a DN
Set up CRLs.
Figure 21-15. Specifying the CDP
Cisco ASA supports three protocols for retrieving the CRL from the CA servers:
- SCEPClick the CRL Retrieval Method tab to select at least one of the protocols. In Figure 21-16, the administrator is using HTTP and SCEP as the CRL retrieval protocols.
Figure 21-16. Specifying the CRL Retrieval Protocols
The Advanced tab enables you to specify the CRL checking and caching timers. You can choose to require CRL checking for all the received certificates, as shown in Figure 21-17. In this example, the administrator has also enabled Enforce Next CRL Update, which requires having a valid and nonexpired next update value.
Figure 21-17. Setting Advanced Trustpoint Attributes
Authenticate and enroll in the CA server.
Figure 21-18. Requesting Root Certificate
To request an identity certificate, choose Configuration > Features > Device Administration > Certificate > Enrollment and click Enroll, as shown in Figure 21-19.
Figure 21-19. Requesting Identity Certificate
It is recommended to verify the fingerprint of the received CA certificate with the fingerprint on the CA server to ensure that the CA certificate has not been compromised.
Select a certificate for the site-to-site tunnel.
Figure 21-20. Selecting Certificates for VPN Tunnels
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM