Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
4
Replies

SCEP through ASA L2L VPN

Michael Dombek
Level 1
Level 1

‎06-06-2013 02:55 AM

Dear all,

i’ve just hit an odd problem with an ASA | PKI | VPN Tunnel setup.

I tried to connect a remote ASA to a central pki server using SCEP.

The setup looks like this:

ASA-Remote  <===L2L-VPN===>  ASA-Central --- PKI Server

The ASA remote has a trustpoint configured using the ip address of the PKI Server

crypto ca trustpoint pki

revocation-check crl

enrollment url http://192.168.191.5:8080/xxxx

serial-number

crl configure

Capturing the ASA-Remote outside interface I can se that the ASA-Remote is sending pakets to the PKI-Server

<publicIP-ASA-REMOTE>.15252 > 192.168.191.5.8080

This indicates to me that the ASA is not using the VPN Tunnel between ASA-Remote and ASA-Central for this communication.

Any Ideas how to fix this issue?

Cheers and thanks Michael

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎06-06-2013 03:21 AM

Hi,

Just commenting with regards getting the ASA to tunnel the connections it generates.

If your purpose is just to tunnel some traffic from the actual remote ASA device to a server on the other site then I guess you could considering adding the remote ASA public IP address to the crypto ACL. Since it seems that the ASA is just using the source address of the interface behind which the routing table is telling the destination address is found on?

I guess you would need something like (presuming software levels, ACL names, interface names etc)

Remote

access-list L2LVPN permit ip host host

Central

access-list L2LVPN permit ip host host

access-list INSIDE-NAT0 permit ip host host

nat (inside) 0 access-list INSIDE-NAT0

This would ofcourse make it impossible for the server to be in connection with the remote ASA in any other way than the L2L VPN. Then again I am not sure if that is any problem.

I would imagine this should be possible since SNMP, Syslog sending etc can be done in the same way.

- Jouni

0 Helpful

Michael Dombek
Level 1
Level 1
In response to Jouni Forss

‎06-06-2013 03:50 AM

Hey Jouni,

first of all thanks for your response and yes you've tracked my problem correct

I thought about your solution, but I'm not sure that it works because (as far as i remember) for logging and snmp to work you have to configure, that the (remote) syslog / SNMP server is locatet behind the inside interface to make encr. work.

But you don't have an option saying where the trustpoint is located.

I'll of course give it a try in my lab and update everyone on that issuee

Thanks again

Michael

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Michael Dombek

‎06-06-2013 03:59 AM

Hi,

I configured/tested the SNMP and Logging (+L2LVPN) once for someone asking here on the forums.

I will see if I can find the thread from the CSC.

But in short, I had defined the ASA to use the "outside" interface in both logging and snmp configurations.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎06-06-2013 04:01 AM

Good thing we have Google. Faster to find the thread through there

Here is the thread I mentioned

https://supportforums.cisco.com/thread/2141385

EDIT: Actually it seems that this thread is also linked to another one

- Jouni

0 Helpful
Customers Also Viewed These Support Documents