Re: Import third-party cert into Cisco 2821 router for SSL VPN
There are two methods to setting up a CA with Cisco IOS SSLVPN. First, we can use a true trusted third-party certificate, like Verisign, which has advantages, but costs money for the certificate. It allows the client side to automatically verify the authenticity of the certificates used in the SSL connection. Alternately, you can set up your own private CA (Windows 2003 Server with SCEP add-on, Cisco IOS CA, etc.), and manually distribute the root certificate to the SSL VPN users. This is cheaper, but requires manual distribution of the root certificate for automatic verification of the SSL connection. See Appendix B for more information to setup a PKI trustpoint with the CA server.
Regardless of the CA method you choose, the trustpoint must be defined for the gateway to use it. If using multiple gateways, it is a good practice to define one trustpoint per gateway. This is mainly because the DNS hostname is included in the signed certificate used in tunnel mode. When a user browses to the WebVPN gateway, the URL of the WebVPN gateway should match the name in the certificate, or it will flag an error, which may become bothersome for users. It is best to have a clean session establishment.
The sample below shows two WebVPN gateways, which have different addresses in the same subnet and share the same trustpoint. They can be in separate subnets, as long as the address is reachable through the public network, and the subnet corresponds to that of another interface on the device
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...