How to set up Certificate Based Remote VPN connection on Cisco ASA(firewall).
Hi Folks.
To make your network more secure and avoid unauthorized remote vpn connection we are going to set up Certificate Based Remote VPN on cisco ASA. For this scenario you need Cisco ASA firewall and Certificate Authority server. In my example I am using asa 5520 and Microsoft CA server. Also I will not be able to demonstrate Microsoft CA configuration, only ASA 5520 via command line. So lets begin..
Here is a brief list what we are going to do:
- Configure Trustpoint on ASA
- Install Root CA certificate ( In our case Microsoft CA)
- Enroll certificate for ASA
- Import certificate to ASA
- Request and Install a User certificate on user machine.
1. Configure Trustpoint:
crypto key generate rsa label vpn.key modulus 1024 ## Generate an rsa key
!
crypto ca trustpoint RootCA ## go to trustpoing configuration mode
subject-name CN=local.domain OU=XXX ## specify attributes
keypair vpn.ca.key ## associate generated key with trustpoint
fqdn fw.domain ## configure FQDN name(optional)
enrollment terminal ## indicates manual enrollment
exit
2. Install Root CA certificate:
Open browser and type the address of CA server ip address, for example:
http://10.10.10.10/certsrv
The CA web page will open
Select "Download a CA certificate, certificate
chain, or CRL"
Choose Base64 and download CA certificate. After download completed open the file with notepad. Copy content of the file. Go to firewall configuration, input next command:
crypto ca authenticate RootCA
And paste copied data into terminal.
So now you have installed Root certificate into firewall, you need to enroll and install certificate for ASA itself.
crypto ca enroll RootCA ## initiates certificate signing request
You will get an enrollment output to your terminal. Copy that output. Open Root CA web interface again.
This time select "Request a certificate" . Below window will open:
Go to "advanced certificate
request"
From above window select "Submit a certificate request by ..."
Paste earlier copied certificate signing request here. Then select Certificate template and Submit request. After download and open certificate via notepad. Copy file content to clipboard. Go to firewall terminal window and put :
crypto ca import RootCA1 certificate
Paste copied certificate to the terminal then quit. So you have successfully imported asa5520 certificate.
Now we need create VPN connection or convert existing pre-shared key based VPN configuration to Certificate based configuration. Go to firewall configuration terminal
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto isakmp enable outside
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha1
group 2
lifetime 86400
exit
crypto isakmp identity auto
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha1
group 2
lifetime 86400
exit
crypto isakmp identity auto
crypto dynamic-map dynmap 10 set transform-set 3des
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
access-list bananapower3d_split line 1 standard permit "local network"
group-policy Bananapower3d internal
group-policy Bananapower3d attributes
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value bananapower3d_split
ip local pool Bananapower3d_pool x.x.x.1-x.x.x.254
tunnel-group Bananapower3d type remote-access
tunnel-group Bananapower3d general-attributes
address-pool Bananapower3d_pool
authentication-server-group ACS
accounting-server-group ACS
default-group-policy Bananapower3d
tunnel-group Bananapower3d ipsec-attributes
peer-id-validate cert
trust-point RootCA
crypto ca certificate map Bananapower3d 10
subject-name attr dc co bananapower3d
tunnel-group-map enable rules
tunnel-group-map Bananapower3d 10 Bananapower3d
group-policy Bananapower3d internal
group-policy Bananapower3d attributes
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value bananapower3d_split
ip local pool Bananapower3d_pool x.x.x.1-x.x.x.254
tunnel-group Bananapower3d type remote-access
tunnel-group Bananapower3d general-attributes
address-pool Bananapower3d_pool
authentication-server-group ACS
accounting-server-group ACS
default-group-policy Bananapower3d
tunnel-group Bananapower3d ipsec-attributes
peer-id-validate cert
trust-point RootCA
crypto ca certificate map Bananapower3d 10
subject-name attr dc co bananapower3d
tunnel-group-map enable rules
tunnel-group-map Bananapower3d 10 Bananapower3d
Now we need to get a User certificate for remote user notebook. Go to Root CA web page, again. From there go to advance certificate request-->create and submit a request to this CA. After choose template as you did before. Submit request and install certificate.
Now when certificate has been installed successfully you will be able to create a new VPN connection to your corporate network. Open Cisco VPN client. Select "New" to create new connection. Fill up the vpn parameters. Instead of Group Authentication select Certificate Authentication and choose user certificate. After you save configuration you will be able to see newly created vpn connection in your vpn connection list.
Thanks,
Nuran Afrasiyabov (CCIEV#29273)
No comments:
Post a Comment