Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Can you use LUA scripts in ASA DAP (Dynamic Access Policies) to check the CA certificate template used for the certificate presented at connection time? Thanks.
Hi guys,
I have a number of ASA firewalls that are managed via CSM (currently version 4.12). We now need to apply a control plane ACL to traffic arriving on our outside interfaces.
I've created an extended ACL in the CSM Extended Access Lists polic...
Hi guys,
How does an ASA verify/validate the certificate used for authentication of the remote end of an IKEv2 tunnel?
I'm having some problems with setting up a. L2L IKEv2 VPN using certificate auth. The VPN is between 2 ASAs, but I only control 1 s...
Hi guys,
We have had an issue reported by our users that their tannoy feature has stopped working. According to the phone system vendor, this feature requires multicast to be enabled.
Over the weekend that it stopped working, we had a lot of work goi...
Hi all,I'm having some problems with certs in a failover pair.I've imported a wildcard cert onto the primary node in a failover pair. This cert was then bound to the outside interface. This is working on the primary node fine for clientless SSL VPNs....
I raised a call with TAC today and spoke to them.
Using FlexConfig, you can't deploy an ACL policy that is referenced as a variable. You need to manually create any objects and then create the ACL using static commands.
Following testing, it does a...
Just so you know, I am using Cisco Security Manager to configure the ASA.
So, I've managed to get this to work using a certificate map, but I would like to check something.
When configuring the crypto map, you specify the peers IP address using the I...
Hi guys,
So a little further info. It looks like my end is being authenticated at the remote end, but I suspect they have disabled peer authentication.
My trustpoint has both my identity certificate and the issuing CAs intermediate certificate.
The r...
Thanks for the reply. The link has some very useful info about peer authentication, but this leaves me with some challenges.
By policy, we cannot disable peer validation. I can probably enable this for testing purposes, but cannot leave this in place...
Thanks for the reply Colin.Unfortunately, when I failover to the standby device and try to import the cert, it says that the key already exists.The trustpoint exists when I look at the command line.
