We are adding certificates to a Cisco Pix 515 with V6.2(2) of the Pix software, the CA we are using is SmartTrust v3.5.10 with WebRA (including the SmartTrust SCEP servlet). Enrollment of the certificate from the SCEP solution works fine, but the Pix can't retrieve the CRL.
The CRL is stored in a Netscape LDAP directory, and the CRL Distribution Point (in short CDP) in the certificate is set to point to the location in the LDAP directory.
We are using the same solution for a Cisco Router 17xx with Cisco IOS v12.2(8)T, which retrieves the CRL from the LDAP directly without problems (using the CDP).
The scep address (host:/cgi-bin) is because SmartTrusts implementation of the scep-protocol is implemented as a java servlet where the scep is called as http://host/cgi-bin/pkiclient.exe, and since the scep protocol automatically adds the pkiclient.exe it is not allowed to add this to the configuration (in the Pix, it would actually result in a call to http://host/cgi-bin//pkiclient.exe which not would work !)
The above configuration works fine, but when we will request the CRL the Pix will call the scep-implementation for the CRL (and in our configuration this will not work, since our CRL not will be requested correctly, this because of our configuration and the way the SmartTrust SCEP implementation works), so we would like the Pix to fetch the CRL directly from the LDAP directory.
We found that the "ca identity vpncaid" had the possibility to add the IP address of the LDAP server, but as soon as we add an IP-address here, the Pix doesn't request anything at all when we requests the CRL (using the "ca crl request vpncaid" command) - we used the cool new sniffer in the Pix 6.2 and this didn't register any traffic at all, neither to the SCEP server or to the LDAP directory, so my question is: can the Pix request the CRL directly from the LDAP directory or does it have to use the SCEP server ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...