11-02-2011 10:14 AM
Hey guys,
I'm hoping you can answer my questions here. I'll lay it out simply and then respond if you need any additional information. I'm setting up two seperate 5510's at two seperate locations. The client wants two seperate SSL-VPN's; one for the HQ and one for the COLO location. They have a single domain for which I have added a-records to point to the corrosponding ASA's thusly:
HQ-ASA = vpn.mycompany.com - 1.1.1.1
COLO-ASA = vpn-colo.mycompany.com - 2.2.2.2
My questions is this: do i need to buy seperate certificates for each ASA/fqdn/IP combo? I'm using godaddy to buy the certs if that helps. If I do need to buy seperate certs, that makes the installation easier, but may waste $$. If I only need to buy one cert, how do I set it up so that both combo's are verified?
I'm in somewhat of a hurry to get this figured out. I'll be monitoring this post.
Thank you,
Josh
CCNA, CCNA-Security
11-02-2011 10:35 AM
I'm thinking a wildcard ssl cert will work. Here's how I think i should configure it:
On the COLO
crypto key generate rsa label my.godaddy.trustpoint modulus 2048
crypto ca trustpoint my.godaddy.trustpoint
keypair my.godaddy.key
fqdn vpn-colo.mycompany.com
subject-name CN=vpn-colo.mycompany.com, OU=IT, O=mycompany corp, C=US, St=Illinois, L=Springfield
enrollment terminal
serial-number
wr mem
!
!Import cert. download cert from CA provider
crypto ca authenticate my.godaddy.trustpoint
!paste in the base64 CA cert string you recieved. make sure the last line is 'quit'
!accept the certificate by answering y
!
!enroll the new cert
crypto ca enroll my.godaddy.trustpoint
!
!Make sure to display cert to terminal and copy that information. the CA you bought your cert
!from will want it.
!
!When you recieve your signed cert back from the CA, import it
crypto ca import my.godaddy.trustpoint certificate
!paste in the base64 CA cert string you recieved. make sure the last line is 'quit'
!
!BACKUP THE CERTS AND PRIVATE KEYS
crypto ca export my.godaddy.trustpoint pkcs 12 hahawhatever
!
On the HQ
crypto key generate rsa label my.godaddy.trustpoint modulus 2048
crypto ca trustpoint my.godaddy.trustpoint
keypair my.godaddy.key
fqdn vpn.mycompany.com
subject-name CN=vpn.mycompany.com, OU=IT, O=mycompany corp, C=US, St=Illinois, L=Moline
enrollment terminal
serial-number
wr mem
Then, use the exported pkcs to import into the HQ ASA with:
crypto ca import my.godaddy.trustpoint pkcs 12 hahawhatever
And on both:
ssl trust-point my.godaddy.trustpoint outside
Am I missing something?
Josh
CCNA, CCNA-Security
11-08-2011 09:15 AM
Must be a rather difficult question...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide