cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
587
Views
0
Helpful
2
Replies

Setting CCP with ASA 5585X

Shao-Yu Chen
Level 1
Level 1

APHA-ASA5585VPN# sh run | inc crypto pki
APHA-ASA5585VPN# sh run | inc crypto
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
crypto ipsec ikev2 ipsec-proposal 3DES
crypto ipsec ikev2 ipsec-proposal AES
crypto ipsec ikev2 ipsec-proposal AES192
crypto ipsec ikev2 ipsec-proposal AES256
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint VPN_TrustPoint
crypto ca trustpoint ASDM_TrustPoint0
crypto ca trustpoint ASDM_TrustPoint1
crypto ca trustpoint ASDM_TrustPoint2
crypto ca trustpoint ASDM_VPNTrustPoint
crypto ca trustpoint VPNTrustPoint
crypto ca trustpoint VPNTrustPoint2
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
crypto ca certificate chain ASDM_VPNTrustPoint
crypto ca certificate chain VPNTrustPoint
crypto isakmp identity hostname
no crypto isakmp nat-traversal
crypto ikev2 policy 1
crypto ikev2 policy 10
crypto ikev2 policy 20
crypto ikev2 policy 30
crypto ikev2 policy 40
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
crypto ikev1 policy 30
crypto ikev1 policy 50
crypto ikev1 policy 70
crypto ikev1 policy 90
  add-command "show crypto ipsec sa"
  add-command "show crypto isakmp sa"
  add-command "show crypto protocol statistics all"


Base on above show run, there is no crypto pki running on this device. I am not able to pick up self signed crypto key from this device, and I believe it is required for CCP to connect.

If I enable crypto key gen rsa, what kind of impact will I do to our VPN users? This ASA device is only doing VPN service at this point. Will I mess up our VPN certificates?

 

Thank you answering my questions.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Assuming you're asking about the Cisco Configuration Professional type of CCP....

That CCP is only for router configuration and will not work with ASAs of any kind. The GUI for managing an ASA is ASDM (Adaptive Security Device Manager). There is a certificate for ASDM as indicated by "ASDM_TrustPoint0" in your output above..

Even if you didn't have any certificate configured, the ASDM would have generated a self-signed ephemeral one when it booted up and initialized.

You should point your browser to an interface permitted for management (as indicated by the "http" command in your configuration) and specify https://<interface address or fqdn>/admin to launch ASDM and optionally download the desktop client (a Java applet).

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

Assuming you're asking about the Cisco Configuration Professional type of CCP....

That CCP is only for router configuration and will not work with ASAs of any kind. The GUI for managing an ASA is ASDM (Adaptive Security Device Manager). There is a certificate for ASDM as indicated by "ASDM_TrustPoint0" in your output above..

Even if you didn't have any certificate configured, the ASDM would have generated a self-signed ephemeral one when it booted up and initialized.

You should point your browser to an interface permitted for management (as indicated by the "http" command in your configuration) and specify https://<interface address or fqdn>/admin to launch ASDM and optionally download the desktop client (a Java applet).

Just want to practice with CCP and looking devices that I can use here at work.

 

Thank you Marvin. :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: