I have a question about SSL VPNs, I have two ASA5510 running as a Load Balancing Cluster with IPSec today, we are working on enabling SSL VPN on them as well and that is working perfectly, however I do not understand 100% how I should assign certificates for them. Since the plan is to buy signed SSL certificates I need to understand this 100%.
My knowledge tells me I would need 3 signed certificates or a wildcard, one certificate for the cluster, and one for each ASA box, is this correct? if so how do I assign one certificate to the cluster?
great question! You just need one wildcard certificate for both ASA's. Here's how it will work (for both Web Browser and AnyConnect):
1. Client connects on port 443/https to lb-name.company.com which translates to public LB IP address. As long as master ASA has wildcard certificate for *.company.com, user sees no warnings.
2. LB master will http redirect client to one-of-the-ASAs.company.com (ASA must be able to resolve reverse DNS one of the ASA's public IPs to the one-of-the-ASAs.company.com. If ASA's DNS resolution points to an internal DNS server, you'll need to make sure those servers have reverse DNS entries for individual Public IPs)
3. Client reconnects on port 443/https to one-of-the-ASAs.company.com which translates to physical Public IP of an individual ASA. As long as that ASA has wildcard certificate for *.company.com, user sees no warnings.
If you have an existing wildcard certificate (private key was generated on another host), you can import PKCS12 certificate (which includes private key) to each ASA.
If you don't have an existing wildcard certificate, you can:
- generate new private key on the first ASA
- create CSR on the first ASA
- provide CSR to the CA
- CA will issue certificate (base64 format)
- import CA certificate (base64) and new certificate (base64) on the first ASA
- export first ASA's certificate in PKCS12 format
- import PKCS12 format certificate on the second ASA
Keep in mind that Windows OS normally uses PFX format for PKCS12 certificate, while ASA uses BASE64 format. If you need to convert from one format to the other, you'll need to use openssl tool. Here's how to convert BASE64 to PFX:
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...