[c-nsp] ASA VPN with Local CA on the ASA
Bruce Pinsky
bep at whack.org
Wed Aug 17 15:12:52 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jay Nakamura wrote:
> I have been reading the documentation and trying to understand how this works.
>
> My understanding is, I can use a certificate to add another layer of
> authentication to VPN users on ASA. I can use the ASA as the CA to
> issue the cert and manage the cert. Is that correct? I wouldn't need
> additional CA server or external CA to purchase certs from? Does it
> work with both IPSec and Anyconnect clients?
>
> Anyone have a good configuration example or URL that goes over it?
>
Yes, the ASA can serve as its own CA. The caveat appears to be that you
can't have failover if you do that. If you have Active/Standby, the
recommendation is using Microsoft's CA. Here are links for doing both:
http://www.networkworld.com/community/blog/how-guide-cisco-asa-sslvpn-using-certificates
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5MErIACgkQE1XcgMgrtyZwJgCgkHbb1NstSuKLPyG4jppwUuwx
CRYAn3qZJ01/KEdv9xOcUIKTYi8frphR
=qaTi
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list