The types and the number of interfaces on the device. The biggest difference between models is the: Maximum traffic throughput handled by the device. All provide advanced stateful firewall features and VPN functionality. There are six ASA models, ranging from the basic 5505 branch office model to the 5585 data center version. Failover feature for fault tolerance.Ĥ ASA Models Cisco ASA devices scale to meet a range of requirements and network sizes. Comprehensive, highly effective intrusion prevention system (IPS) with Cisco Global Correlation and guaranteed coverage. High-performance VPNs and always-on remote-access. ASA 5500 appliances incorporate: Proven firewall technology. Firewall Solution The ASA 5500 firewall appliance is a multi-service standalone appliance that is a primary component of the Cisco SecureX architecture. However, an IOS firewall solution does not scale well and typically cannot meet the needs of a large enterprise. Of course don’t forget to save your config.1 Implementing the Cisco Adaptive Security Appliance (ASA)Ģ IOS Firewall Solution An IOS router firewall solution is appropriate for small branch deployments and for administrators who are experienced with Cisco IOS. There is also a great tool on the following website where you can test your SSL installation: You can use the following command to to verify the certificates installed correctly: ASA# show crypto ca certificates Tell WebVPN to use the new certificate ASA(config)# ssl trust-point outside Verify End with the word “quit” on a line by itself”Ĭopy the host certificate and paste into the CLI. ”Enter the base 64 encoded CA certificate. ASA(config)# crypto ca import certificate
Second step is to install the host certificate. You will then get another prompt asking you: Do you accept this certificate? : yesĪfter accepting you will get a response to say the certificate import was successful. End with the word “quit” on a line by itself” Copy the intermediate Certificate and passte into the CLI, go to the next line and type quit and press enter. You will then get a prompt: “Enter the base 64 encoded CA certificate. Install the Certificates on the ASAįirst step is to install the ca cert which from is the second cert in the chain. The suggested is very straight forward and allows you to use DNS for verification of the domain. Use your preferred cert providers tools to request a valid certificate. You will need to open the Intermediate and host certificates using a text editor but I always use the fantastic Notepad++.
Once you download the zip file which contains the certificates in various formats, open the “OtherServer.zip” file and you will find an Intermediate, root and host certificate. Under the StartSSL management portal, create a new Webserver SSL/TLS certificate using the generated CSR. Redisplay enrollment request? : NO Submit your CSR to your Certificate Authority You need to copy the CSR so you can submit it to your Certificate Authority. Notes: After answering YES the CLI will output the CSR. Question Prompt – Display Certificate Request to terminal? : YES
Question Prompt – Include the device serial number in the subject name? : NO
The full steps required are as follows: ASA(config)# crypto key generate rsa label modulus 2048ĪSA(config-ca-trustpoint)# subject-name CN=, OU=, O=, C=, St=, L=ĪSA(config-ca-trustpoint)# enrollment terminal You will though need to clear the trustpoint and configure again from scratch: ASA(config)# no crypto ca trustpoint If you are replacing an existing certificate, you don’t need to generate a new key but of course you can. key version of the domain name that you are using for the label name. The next stage is the CSR or certificate signing request. Set the clock/timezone and also define some NTP servers to ensure the firewall keeps its time correctly. Solution Time Settingsįirst thing you need to ensure is your clock is set correctly. I’ve used the great to get certs for non ACME supporting clients such as the ASA. The one small downside is the certificates are valid for 90 days only, however considering the price it’s a small price to pay. They work great and support the ACME protocol for automatic cert renewal on servers but of course some devices will never support automatic renewal. However there is a free alternative called Let’s Encrypt. Okay so Wosign bought and royally cocked up StartSSL so they are a dead duck in the cert authority space.
If you need to replace or install a cert for the first time to use with an SSL VPN then this is how to achieve it using the CLI. You no longer need to continue using self signed certs as StartSSL offer them for free.