Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
4
Replies

Anyconnect migration from 5520 to new 5545-X

Go to solution
keithcclark71
Level 3
Level 3

‎03-12-2017 08:30 AM - edited ‎03-12-2019 02:03 AM

I am tasked with porting over Anyconnect Profiles from Production 5520 to new 5545-x replacement. I have two remote sites that also are Site to SIte IKE1 tunnels into this production 5520. 

Within Certificate Management I have three sections as follows

Identifty Certificates  

The external FQDN that resolves to Public Side IP of the ASA

CA Cerificates  

COMODO RSA Certification_Authority cnn=AddTrust External CA Root, ou=AddTrust External TTP Network  |Associated_TrustPoints (ASDM_Trustpoint2)

COMODO RSA Domain Validation Secure Server CA  cn = COMODO RSA Certiciation Authority | Associated_TrustPoints (ASDM_Trustpoint3)

AddTrust External CA Root cn=AddTrust External CA Roout = AddTrust External TTP Network | Associated_TrustPoints (ASDM_Trustpoint21

Local Certificate authority (The CN here references the ASA itself (CN=asa5520.domain.org)

Questions:

1) Is the Identify Certificate really the only certificate I need to be concerned with here?here are two export options one is just certicate and other is certificate with private key. Can I just export the certifcate on its own without private key from the production firewall into the replacement firewall?

2)Can the host name of the replacement firewall be different with the certifcate export/import?

3)Do I need to do anything with the CA Certificates or are these generated by default?

4) Is the SSL certificate for Anyconnect in anyway tied into the site to site IKE tunnels? I don't think so but I am just trying to make sure I am covering all bases

5)Is there anyway I can test this deployment before doing a production swap. I ask this as it seems like I will need to make the replacement external interface the same IP that the Identity Certifcate resolves to.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-12-2017 09:16 AM

1) You need the certificate with private key.

2) Yes, these names can be different.

3) You typically don't need the CA certificates. But you should have the intermediate certificate imported so that the ASA can send the complete certificate chain.

4) IPsec tunnel can also authenticate with certificates. Check if that is the case or if all tunnels only use pre-shared-keys.

5) Easy: Configure your outside interface with an IP of your choice, connect a PC to the outside interface and add your FQDN with the IP to your hosts-file. Then you can test if your connection is working.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to keithcclark71

‎03-12-2017 11:38 AM

You got it from your CA when you ordered your certificate. If you don't find it, login to your CA-account. There you can download it.

If you don't import it to your ASA, it's likely that it will still work. But a new client has to do an additional download of the cert from the CA. After that the cert is typically cached and no problems arise. Still, it's not a clean/good installation if the cert is missing.

You can test your actual ASA with https://www.ssllabs.com/ssltest/ and it will tell you if there are any chain-issues.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎03-12-2017 09:16 AM

1) You need the certificate with private key.

2) Yes, these names can be different.

3) You typically don't need the CA certificates. But you should have the intermediate certificate imported so that the ASA can send the complete certificate chain.

4) IPsec tunnel can also authenticate with certificates. Check if that is the case or if all tunnels only use pre-shared-keys.

5) Easy: Configure your outside interface with an IP of your choice, connect a PC to the outside interface and add your FQDN with the IP to your hosts-file. Then you can test if your connection is working.

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to Karsten Iwen

‎03-12-2017 11:25 AM

Thanks Karsten all makes sense to me now with exception of the intermediate cert. Where would I import that from ? 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to keithcclark71

‎03-12-2017 11:38 AM

You got it from your CA when you ordered your certificate. If you don't find it, login to your CA-account. There you can download it.

If you don't import it to your ASA, it's likely that it will still work. But a new client has to do an additional download of the cert from the CA. After that the cert is typically cached and no problems arise. Still, it's not a clean/good installation if the cert is missing.

You can test your actual ASA with https://www.ssllabs.com/ssltest/ and it will tell you if there are any chain-issues.

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to Karsten Iwen

‎03-12-2017 11:51 AM

Thanks a ton I'm doing a big project with porting over first gen to next gen ASAs and sites connected using IKE 1 tunnels and Anyconnect. On top of that their doing split tunnels. I got keys more:system etc and end goal is once configs ported over  to also get all these spokes and hub nextgen ASAs Firepower configured and sending events to VMware FMC. I'm probably going to be here more often asking questions and thanks to guys like you makes sites like these great resources. Appreciate the responses

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card