03-12-2017 08:30 AM - edited 03-12-2019 02:03 AM
I am tasked with porting over Anyconnect Profiles from Production 5520 to new 5545-x replacement. I have two remote sites that also are Site to SIte IKE1 tunnels into this production 5520.
Within Certificate Management I have three sections as follows
Identifty Certificates
The external FQDN that resolves to Public Side IP of the ASA
CA Cerificates
COMODO RSA Certification_Authority cnn=AddTrust External CA Root, ou=AddTrust External TTP Network |Associated_TrustPoints (ASDM_Trustpoint2)
COMODO RSA Domain Validation Secure Server CA cn = COMODO RSA Certiciation Authority | Associated_TrustPoints (ASDM_Trustpoint3)
AddTrust External CA Root cn=AddTrust External CA Roout = AddTrust External TTP Network | Associated_TrustPoints (ASDM_Trustpoint21
Local Certificate authority (The CN here references the ASA itself (CN=asa5520.domain.org)
Questions:
1) Is the Identify Certificate really the only certificate I need to be concerned with here?here are two export options one is just certicate and other is certificate with private key. Can I just export the certifcate on its own without private key from the production firewall into the replacement firewall?
2)Can the host name of the replacement firewall be different with the certifcate export/import?
3)Do I need to do anything with the CA Certificates or are these generated by default?
4) Is the SSL certificate for Anyconnect in anyway tied into the site to site IKE tunnels? I don't think so but I am just trying to make sure I am covering all bases
5)Is there anyway I can test this deployment before doing a production swap. I ask this as it seems like I will need to make the replacement external interface the same IP that the Identity Certifcate resolves to.
Solved! Go to Solution.
03-12-2017 09:16 AM
1) You need the certificate with private key.
2) Yes, these names can be different.
3) You typically don't need the CA certificates. But you should have the intermediate certificate imported so that the ASA can send the complete certificate chain.
4) IPsec tunnel can also authenticate with certificates. Check if that is the case or if all tunnels only use pre-shared-keys.
5) Easy: Configure your outside interface with an IP of your choice, connect a PC to the outside interface and add your FQDN with the IP to your hosts-file. Then you can test if your connection is working.
03-12-2017 11:38 AM
You got it from your CA when you ordered your certificate. If you don't find it, login to your CA-account. There you can download it.
If you don't import it to your ASA, it's likely that it will still work. But a new client has to do an additional download of the cert from the CA. After that the cert is typically cached and no problems arise. Still, it's not a clean/good installation if the cert is missing.
You can test your actual ASA with https://www.ssllabs.com/ssltest/ and it will tell you if there are any chain-issues.
03-12-2017 09:16 AM
1) You need the certificate with private key.
2) Yes, these names can be different.
3) You typically don't need the CA certificates. But you should have the intermediate certificate imported so that the ASA can send the complete certificate chain.
4) IPsec tunnel can also authenticate with certificates. Check if that is the case or if all tunnels only use pre-shared-keys.
5) Easy: Configure your outside interface with an IP of your choice, connect a PC to the outside interface and add your FQDN with the IP to your hosts-file. Then you can test if your connection is working.
03-12-2017 11:25 AM
Thanks Karsten all makes sense to me now with exception of the intermediate cert. Where would I import that from ?
03-12-2017 11:38 AM
You got it from your CA when you ordered your certificate. If you don't find it, login to your CA-account. There you can download it.
If you don't import it to your ASA, it's likely that it will still work. But a new client has to do an additional download of the cert from the CA. After that the cert is typically cached and no problems arise. Still, it's not a clean/good installation if the cert is missing.
You can test your actual ASA with https://www.ssllabs.com/ssltest/ and it will tell you if there are any chain-issues.
03-12-2017 11:51 AM
Thanks a ton I'm doing a big project with porting over first gen to next gen ASAs and sites connected using IKE 1 tunnels and Anyconnect. On top of that their doing split tunnels. I got keys more:system etc and end goal is once configs ported over to also get all these spokes and hub nextgen ASAs Firepower configured and sending events to VMware FMC. I'm probably going to be here more often asking questions and thanks to guys like you makes sites like these great resources. Appreciate the responses
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide