[c-nsp] ASA VPN with Local CA on the ASA

Bruce Pinsky bep at whack.org
Wed Aug 17 15:12:52 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jay Nakamura wrote:
> I have been reading the documentation and trying to understand how this works.
> 
> My understanding is, I can use a certificate to add another layer of
> authentication to VPN users on ASA.  I can use the ASA as the CA to
> issue the cert and manage the cert.  Is that correct?  I wouldn't need
> additional CA server or external CA to purchase certs from?  Does it
> work with both IPSec and Anyconnect clients?
> 
> Anyone have a good configuration example or URL that goes over it?
> 

Yes, the ASA can serve as its own CA.  The caveat appears to be that you
can't have failover if you do that.  If you have Active/Standby, the
recommendation is using Microsoft's CA.  Here are links for doing both:

http://www.networkworld.com/community/blog/how-guide-cisco-asa-sslvpn-using-certificates
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5MErIACgkQE1XcgMgrtyZwJgCgkHbb1NstSuKLPyG4jppwUuwx
CRYAn3qZJ01/KEdv9xOcUIKTYi8frphR
=qaTi
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list