Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
3
Replies

Cisco ASA - Specify source address on traffic towards NDES server

Go to solution
Daniel Fjortoft
Level 1
Level 1

‎11-24-2016 05:52 AM - edited ‎03-12-2019 01:35 AM

We are currently trying to get our remote Cisco ASA 5505`s to obtain a certificate from a Windows Server running NDES.

The NDES server is located in a network in the datacenter (private IP`s), which all remote ASA`s can reach trough a VPN tunnel. When we try to obtain a certificate, we notice that the firewall connects from the outside interface, and therefor doesn`t use the VPN tunnel for communication. (Similar to not specifying a source interface when pinging the NDES server from the ASA.)

Is there any way we can specify that the firewall should use the the inside ip address as source for traffic towards the NDES server? If not we may have to alter the VPN tunnels, but we would really like to avoid it.

Thanks!

Daniel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepika Mahankali
Level 1
Level 1

‎03-15-2017 08:17 PM

Hi Daniel,

 

Please note that there was an enhancement request filed for this and the support for source interface based enrollment has been introduced in ASA software version 9.5(1).

Please find the release notes for the same below. In the release notes, it is mentioned that ‘enrollment source’ has been introduced in 9.5(1).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

I have verified this in my lab and see the following ’interface’ option on ASA version 9.5 for specifying the enrollment source interface –

epicfw01-a/admin(config-ca-trustpoint)# enrollment ?

crypto-ca-trustpoint mode commands/options:

  interface  Configure source interface

  retry      Polling parameters

  self       Enrollment will generate a self-signed certificate

  terminal   Enroll via the terminal (cut-and-paste)

  url        CA server enrollment URL

Now, I understand you are using ASA 5505. Since the highest software version supported on ASA 5505 is 9.1(7), you may need a hardware upgrade to utilize this feature.

Hope it helps.

 

Best Regards,

Deepika Mahankali

CCIE#46630 (Security)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Deepika Mahankali
Level 1
Level 1

‎03-15-2017 08:17 PM

Hi Daniel,

 

Please note that there was an enhancement request filed for this and the support for source interface based enrollment has been introduced in ASA software version 9.5(1).

Please find the release notes for the same below. In the release notes, it is mentioned that ‘enrollment source’ has been introduced in 9.5(1).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

I have verified this in my lab and see the following ’interface’ option on ASA version 9.5 for specifying the enrollment source interface –

epicfw01-a/admin(config-ca-trustpoint)# enrollment ?

crypto-ca-trustpoint mode commands/options:

  interface  Configure source interface

  retry      Polling parameters

  self       Enrollment will generate a self-signed certificate

  terminal   Enroll via the terminal (cut-and-paste)

  url        CA server enrollment URL

Now, I understand you are using ASA 5505. Since the highest software version supported on ASA 5505 is 9.1(7), you may need a hardware upgrade to utilize this feature.

Hope it helps.

 

Best Regards,

Deepika Mahankali

CCIE#46630 (Security)

0 Helpful

Go to solution
Daniel Fjortoft
Level 1
Level 1
In response to Deepika Mahankali

‎03-16-2017 12:15 AM

Thank you Deepika Mahankali! I will test and come back to you!

Best regards

Daniel

0 Helpful

Go to solution
Daniel Fjortoft
Level 1
Level 1
In response to Deepika Mahankali

‎03-17-2017 01:13 AM

I have now done some testing on a ASA 5506x with ASA 9.6(1). It worked!

Thanks Deepika! This saves us from changing the cryptomaps on all our tunnels. I would be nice to do the same on the 5505`s, but this is at least working for the new ones.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card