https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955347#M144633 <P>Hi Daniel,</P> <P>&nbsp;</P> <P>Please note that there was an enhancement request filed for this and the support for source interface based enrollment has been introduced in ASA software version 9.5(1).</P> <P>Please find the release notes for the same below. In the release notes, it is mentioned that ‘enrollment source’ has been introduced in 9.5(1).</P> <P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html</A></P> <P>I have verified this in my lab and see the following ’interface’ option on ASA version 9.5 for specifying the enrollment source interface –</P> <P>epicfw01-a/admin(config-ca-trustpoint)# enrollment ?</P> <P>crypto-ca-trustpoint mode commands/options:</P> <P>&nbsp; interface&nbsp; Configure source interface</P> <P>&nbsp; retry&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Polling parameters</P> <P>&nbsp; self&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Enrollment will generate a self-signed certificate</P> <P>&nbsp; terminal&nbsp;&nbsp; Enroll via the terminal (cut-and-paste)</P> <P>&nbsp; url&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CA server enrollment URL</P> <P>Now, I understand you are using ASA 5505. Since the highest software version supported on ASA 5505 is 9.1(7), you may need a hardware upgrade to utilize this feature.</P> <P>Hope it helps.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Deepika Mahankali</P> <P>CCIE#46630 (Security)</P> Thu, 16 Mar 2017 03:17:16 GMT Deepika Mahankali 2017-03-16T03:17:16Z https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955346#M144632 <P>We are currently trying to get our remote Cisco ASA 5505`s to obtain a certificate from a Windows Server running NDES.</P> <P>The NDES server is located in a network in the datacenter (private IP`s), which all remote ASA`s can reach trough a VPN tunnel. When we try to obtain a certificate, we notice that the firewall connects from the outside interface, and therefor doesn`t use the VPN tunnel for communication. (Similar to not specifying a source interface when pinging the NDES server from the ASA.)</P> <P>Is there any way we can specify that the firewall should use the the inside ip address as source for traffic towards&nbsp;the NDES server? If not we may have to alter the VPN tunnels, but we would really like to avoid it.</P> <P></P> <P>Thanks!</P> <P></P> <P>Daniel</P> Tue, 12 Mar 2019 08:35:08 GMT https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955346#M144632 Daniel Fjortoft 2019-03-12T08:35:08Z https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955347#M144633 <P>Hi Daniel,</P> <P>&nbsp;</P> <P>Please note that there was an enhancement request filed for this and the support for source interface based enrollment has been introduced in ASA software version 9.5(1).</P> <P>Please find the release notes for the same below. In the release notes, it is mentioned that ‘enrollment source’ has been introduced in 9.5(1).</P> <P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html</A></P> <P>I have verified this in my lab and see the following ’interface’ option on ASA version 9.5 for specifying the enrollment source interface –</P> <P>epicfw01-a/admin(config-ca-trustpoint)# enrollment ?</P> <P>crypto-ca-trustpoint mode commands/options:</P> <P>&nbsp; interface&nbsp; Configure source interface</P> <P>&nbsp; retry&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Polling parameters</P> <P>&nbsp; self&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Enrollment will generate a self-signed certificate</P> <P>&nbsp; terminal&nbsp;&nbsp; Enroll via the terminal (cut-and-paste)</P> <P>&nbsp; url&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CA server enrollment URL</P> <P>Now, I understand you are using ASA 5505. Since the highest software version supported on ASA 5505 is 9.1(7), you may need a hardware upgrade to utilize this feature.</P> <P>Hope it helps.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Deepika Mahankali</P> <P>CCIE#46630 (Security)</P> Thu, 16 Mar 2017 03:17:16 GMT https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955347#M144633 Deepika Mahankali 2017-03-16T03:17:16Z https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955348#M144634 <P>Thank you Deepika Mahankali! I will test and come back to you!</P> <P></P> <P></P> <P>Best regards</P> <P>Daniel</P> Thu, 16 Mar 2017 07:15:15 GMT https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955348#M144634 Daniel Fjortoft 2017-03-16T07:15:15Z https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955349#M144636 <P>I have now done some testing on a ASA 5506x with ASA 9.6(1). It worked!</P> <P>Thanks Deepika! This saves us from changing the cryptomaps on all our tunnels. I would be nice to do the same on the 5505`s, but this is at least working for the new ones.</P> Fri, 17 Mar 2017 08:13:43 GMT https://community.cisco.com/t5/network-security/cisco-asa-specify-source-address-on-traffic-towards-ndes-server/m-p/2955349#M144636 Daniel Fjortoft 2017-03-17T08:13:43Z