https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695986#M193968 <P>Just want to practice with CCP and looking devices that I can use here at work.</P><P>&nbsp;</P><P>Thank you Marvin. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 15 Jul 2015 19:06:41 GMT Shao-Yu Chen 2015-07-15T19:06:41Z https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695984#M193960 <P>APHA-ASA5585VPN# sh run | inc crypto pki<BR />APHA-ASA5585VPN# sh run | inc crypto<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<BR />crypto ipsec ikev2 ipsec-proposal DES<BR />crypto ipsec ikev2 ipsec-proposal 3DES<BR />crypto ipsec ikev2 ipsec-proposal AES<BR />crypto ipsec ikev2 ipsec-proposal AES192<BR />crypto ipsec ikev2 ipsec-proposal AES256<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000<BR />crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<BR />crypto map outside_map interface outside<BR />crypto ca trustpoint VPN_TrustPoint<BR />crypto ca trustpoint ASDM_TrustPoint0<BR />crypto ca trustpoint ASDM_TrustPoint1<BR />crypto ca trustpoint ASDM_TrustPoint2<BR />crypto ca trustpoint ASDM_VPNTrustPoint<BR />crypto ca trustpoint VPNTrustPoint<BR />crypto ca trustpoint VPNTrustPoint2<BR />crypto ca trustpool policy<BR />crypto ca certificate chain ASDM_TrustPoint0<BR />crypto ca certificate chain ASDM_VPNTrustPoint<BR />crypto ca certificate chain VPNTrustPoint<BR />crypto isakmp identity hostname<BR />no crypto isakmp nat-traversal<BR />crypto ikev2 policy 1<BR />crypto ikev2 policy 10<BR />crypto ikev2 policy 20<BR />crypto ikev2 policy 30<BR />crypto ikev2 policy 40<BR />crypto ikev2 enable outside<BR />crypto ikev1 enable outside<BR />crypto ikev1 policy 10<BR />crypto ikev1 policy 30<BR />crypto ikev1 policy 50<BR />crypto ikev1 policy 70<BR />crypto ikev1 policy 90<BR />&nbsp; add-command "show crypto ipsec sa"<BR />&nbsp; add-command "show crypto isakmp sa"<BR />&nbsp; add-command "show crypto protocol statistics all"</P><P><BR />Base on above show run, there is no crypto pki running on this device. I am not able to pick up self signed crypto key from this device, and I believe it is required for CCP to connect.</P><P>If I enable crypto key gen rsa, what kind of impact will I do to our VPN users? This ASA device is only doing VPN service at this point. Will I mess up our VPN certificates?</P><P>&nbsp;</P><P>Thank you answering my questions.</P> Tue, 12 Mar 2019 06:14:30 GMT https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695984#M193960 Shao-Yu Chen 2019-03-12T06:14:30Z https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695985#M193964 <P>Assuming you're asking about the Cisco Configuration Professional type of CCP....</P><P>That CCP is only for router configuration and will not work with ASAs of any kind. The GUI for managing an ASA is ASDM (Adaptive Security Device Manager). There is a certificate for ASDM as indicated by "ASDM_TrustPoint0"&nbsp;in your output above..</P><P>Even if you didn't have any certificate configured, the ASDM would have generated a self-signed ephemeral one when it booted up and initialized.</P><P>You should point your browser to an interface permitted for management (as indicated by the "http" command in your configuration) and specify <A href="https://&lt;interface" target="_blank">https://&lt;interface</A> address or fqdn&gt;/admin to launch ASDM and optionally download the desktop client (a Java applet).</P> Thu, 09 Jul 2015 02:11:19 GMT https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695985#M193964 Marvin Rhoads 2015-07-09T02:11:19Z https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695986#M193968 <P>Just want to practice with CCP and looking devices that I can use here at work.</P><P>&nbsp;</P><P>Thank you Marvin. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 15 Jul 2015 19:06:41 GMT https://community.cisco.com/t5/network-security/setting-ccp-with-asa-5585x/m-p/2695986#M193968 Shao-Yu Chen 2015-07-15T19:06:41Z