topic Re: ASA to FTD migration. Need som help with certificates in Network Security

ASA to FTD migration. Need som help with certificates

Chess Norris — Wed, 17 Aug 2022 08:27:48 GMT

Hello,

We need to migrate an ASA 5585-X to a FTD with about 1000 AnyConnect users. Authentication is done with both client certificates and Azure MFA. I am looking for some help with the steps required for doing this. I am guessing that I need to install the root certificate under Objects->PKI->Trusted CAs in FMC, but what do I need to do more?

We have already enrolled the SSL certificates, which is a public certificate. But this is just so that the clients trust the VPN gateway and dont get the security warning.

The question is about the certificates that is used to authenticate the clients. Do I need to enroll the Root CA as well? I only have a .crt file but I think the certificate need to be PKCS12 format. Should I use openssl to convert the .crt to PKCS12 and then enroll it under devices-Certificates in FMC?

I also looked in ASDM under certificate management to see if it was possible to export the root certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.

Do I also need to change anything in the AnyConnect configuration? At the moment if I look under Devices -> Remote Access -> Access Interfaces, I only see the SSL certificate associated with the interface that the AnyConnect uses.

Finally, when we are going to test this on the new FTD we will activate the VPN on one of the interfaces with a new temporary IP address before the actual migration. Would that be enough for testing. Using an IP address instead of domain name shouldn't cause any issues?

If the test doesn't work, how should we best troubleshoot this to find out what causing the issues?

Thanks

/Chess

Re: ASA to FTD migration. Need som help with certificates

Sheraz.Salim — Wed, 17 Aug 2022 09:24:24 GMT

for certificate used for VPN-tunnel site-to-site or for anyconnect this process is as below.

You need to install the Root CA and Sub-CA in FMC. Objects--->PKI--->Cert Enrollment-->Add Cert Enrollement

Now go to your ASDM on ASA firewall. Go to Configuration--->Device Management-->Certificate Manangement-->Identity Certificates--Chose your Cert Identity and export it as PKCS12 Format.

once this PKC12 is export to your computer go back to FMC--Devices--Certificates-->Add-->

here you will select the Firewall you want to call and Cert Enrollemnet you have to call GO-Daddy as showing in first picture.

now you have to click on the arrow as showing in picture. it will give you a "Warning" This operation will generate Certicate Signing Request od you want to continue? click YES.

here you can import the Identity Certificate the one you save on your computer from your ASA ASDM software.

Here Cisco Youtube channel has provided in detail configuration of Cert Anyconnect FTD managed by FMC.

You can not export the Root CA. but if you have a public CA you can always get a public CA from their website. for example you can check the Root CA serial number from ASA command line."show crypto ca certificate GO-Daddy"

Status: Available
Certificate Serial Number: 083be056904246b1a1756ac95991c74a
Certificate Usage: Signature

once you have this serial number you can find the cert-root-ca from CA website and import in to your FMC.

Re: ASA to FTD migration. Need som help with certificates

Chess Norris — Wed, 17 Aug 2022 13:08:18 GMT

Thanks. So in order to get the client VPN connection to work, it should be enough to enroll the CA Root certificate in order to properly validate the certificate of the connecting client?

/Chess

Re: ASA to FTD migration. Need som help with certificates

Sheraz.Salim — Wed, 17 Aug 2022 13:19:57 GMT

Correct. As long as you have Root-CA, Sub-CA in your FMC and also if you have import the Identity Certificate from your ASA firewall and hosted in your FTD (in PKCS12 format) you are good.

I have done so many VPN-Tunnel FTD certificates so that how I have done it on our FMC.

having said that I assume your anyconnect configuration are pointing the new trust point. you can double check this on FTD CLI. giving a command "show run ssl"

Re: ASA to FTD migration. Need som help with certificates

Chess Norris — Fri, 19 Aug 2022 12:09:31 GMT

Just to follow up. We did some test today and we used a temporary public IP on the outside interface to terminate the VPN. The first time we tested, we used this IP address in AnyConnect, but we got a certificate validation error when the client tried to connect. We then added the FQDN that we use for the VPN in the host file and after that the client was able to connect. I wasn't aware of that the FQDN name was required for authentication with client certificates. I thought it was only necessary for the WEB/SSL cert part. Anyway, seems like all is good now.

Thanks

/Chess