11-24-2016 05:52 AM - edited 03-12-2019 01:35 AM
We are currently trying to get our remote Cisco ASA 5505`s to obtain a certificate from a Windows Server running NDES.
The NDES server is located in a network in the datacenter (private IP`s), which all remote ASA`s can reach trough a VPN tunnel. When we try to obtain a certificate, we notice that the firewall connects from the outside interface, and therefor doesn`t use the VPN tunnel for communication. (Similar to not specifying a source interface when pinging the NDES server from the ASA.)
Is there any way we can specify that the firewall should use the the inside ip address as source for traffic towards the NDES server? If not we may have to alter the VPN tunnels, but we would really like to avoid it.
Thanks!
Daniel
Solved! Go to Solution.
03-15-2017 08:17 PM
Hi Daniel,
Please note that there was an enhancement request filed for this and the support for source interface based enrollment has been introduced in ASA software version 9.5(1).
Please find the release notes for the same below. In the release notes, it is mentioned that ‘enrollment source’ has been introduced in 9.5(1).
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
I have verified this in my lab and see the following ’interface’ option on ASA version 9.5 for specifying the enrollment source interface –
epicfw01-a/admin(config-ca-trustpoint)# enrollment ?
crypto-ca-trustpoint mode commands/options:
interface Configure source interface
retry Polling parameters
self Enrollment will generate a self-signed certificate
terminal Enroll via the terminal (cut-and-paste)
url CA server enrollment URL
Now, I understand you are using ASA 5505. Since the highest software version supported on ASA 5505 is 9.1(7), you may need a hardware upgrade to utilize this feature.
Hope it helps.
Best Regards,
Deepika Mahankali
CCIE#46630 (Security)
03-15-2017 08:17 PM
Hi Daniel,
Please note that there was an enhancement request filed for this and the support for source interface based enrollment has been introduced in ASA software version 9.5(1).
Please find the release notes for the same below. In the release notes, it is mentioned that ‘enrollment source’ has been introduced in 9.5(1).
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
I have verified this in my lab and see the following ’interface’ option on ASA version 9.5 for specifying the enrollment source interface –
epicfw01-a/admin(config-ca-trustpoint)# enrollment ?
crypto-ca-trustpoint mode commands/options:
interface Configure source interface
retry Polling parameters
self Enrollment will generate a self-signed certificate
terminal Enroll via the terminal (cut-and-paste)
url CA server enrollment URL
Now, I understand you are using ASA 5505. Since the highest software version supported on ASA 5505 is 9.1(7), you may need a hardware upgrade to utilize this feature.
Hope it helps.
Best Regards,
Deepika Mahankali
CCIE#46630 (Security)
03-16-2017 12:15 AM
Thank you Deepika Mahankali! I will test and come back to you!
Best regards
Daniel
03-17-2017 01:13 AM
I have now done some testing on a ASA 5506x with ASA 9.6(1). It worked!
Thanks Deepika! This saves us from changing the cryptomaps on all our tunnels. I would be nice to do the same on the 5505`s, but this is at least working for the new ones.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide