topic SCEP through ASA L2L VPN in VPN

SCEP through ASA L2L VPN

Michael Dombek — Thu, 06 Jun 2013 09:55:53 GMT

Dear all,

i’ve just hit an odd problem with an ASA | PKI | VPN Tunnel setup.

I tried to connect a remote ASA to a central pki server using SCEP.

The setup looks like this:

ASA-Remote <===L2L-VPN===> ASA-Central --- PKI Server

The ASA remote has a trustpoint configured using the ip address of the PKI Server

crypto ca trustpoint pki

revocation-check crl

enrollment url http://192.168.191.5:8080/xxxx

serial-number

crl configure

Capturing the ASA-Remote outside interface I can se that the ASA-Remote is sending pakets to the PKI-Server

<publicIP-ASA-REMOTE>.15252 > 192.168.191.5.8080

This indicates to me that the ASA is not using the VPN Tunnel between ASA-Remote and ASA-Central for this communication.

Any Ideas how to fix this issue?

Cheers and thanks Michael

SCEP through ASA L2L VPN

Jouni Forss — Thu, 06 Jun 2013 10:21:15 GMT

Hi,

Just commenting with regards getting the ASA to tunnel the connections it generates.

If your purpose is just to tunnel some traffic from the actual remote ASA device to a server on the other site then I guess you could considering adding the remote ASA public IP address to the crypto ACL. Since it seems that the ASA is just using the source address of the interface behind which the routing table is telling the destination address is found on?

I guess you would need something like (presuming software levels, ACL names, interface names etc)

Remote

access-list L2LVPN permit ip host host

Central

access-list L2LVPN permit ip host host

access-list INSIDE-NAT0 permit ip host host

nat (inside) 0 access-list INSIDE-NAT0

This would ofcourse make it impossible for the server to be in connection with the remote ASA in any other way than the L2L VPN. Then again I am not sure if that is any problem.

I would imagine this should be possible since SNMP, Syslog sending etc can be done in the same way.

- Jouni

SCEP through ASA L2L VPN

Michael Dombek — Thu, 06 Jun 2013 10:50:06 GMT

Hey Jouni,

first of all thanks for your response and yes you've tracked my problem correct

I thought about your solution, but I'm not sure that it works because (as far as i remember) for logging and snmp to work you have to configure, that the (remote) syslog / SNMP server is locatet behind the inside interface to make encr. work.

But you don't have an option saying where the trustpoint is located.

I'll of course give it a try in my lab and update everyone on that issuee

Thanks again

Michael

SCEP through ASA L2L VPN

Jouni Forss — Thu, 06 Jun 2013 10:59:52 GMT

Hi,

I configured/tested the SNMP and Logging (+L2LVPN) once for someone asking here on the forums.

I will see if I can find the thread from the CSC.

But in short, I had defined the ASA to use the "outside" interface in both logging and snmp configurations.

- Jouni

Re: SCEP through ASA L2L VPN

Jouni Forss — Thu, 06 Jun 2013 11:01:07 GMT

Good thing we have Google. Faster to find the thread through there

Here is the thread I mentioned

https://supportforums.cisco.com/thread/2141385

EDIT: Actually it seems that this thread is also linked to another one

- Jouni