2.Cisco ASA Anyconnect Self Signed Certificate


By default the Cisco ASA firewall has a self signed certificate that is regenerated every time you reboot it. This can be an issue when you are using SSL VPN as the web browser of your user will give a warning every time it sees an untrusted certificate. In another lesson where I explained how to configure anyconnect remote access VPN you can see these errors when the remote users connects to the ASA. To fix this problem we have two options:

  • Purchase and install an SSL certificate on the ASA from a trusted CA.
  • Generate a self signed SSL certificate on the ASA and export it to your user’s computer.

The first option is the best one, you buy an SSL certificate from a provider like Verisign, Entrust, Godaddy, etc. and install it on the ASA. Web browsers have a lot of pre-installed root CA certificates from these providers so when you get a SSL certificate from them, your browser will show them as trusted. This is great because you don’t have to do anything on the user’s computer.

If you don’t want to buy a SSL certificate then we can use the second option. We will generate a SSL certificate on the ASA and self-sign it. This certificate is permanent so it doesn’t dissapear when you reboot the ASA, the problem however is that you have to export and import this certificate on each of your remote users’ computers.

That’s what we will do in this lesson…we will generate the SSL certificate, self-sign it and then export and import it on a remote user’s computer. This is the topology I will use:

ASA1 outside remote ssl vpn user

The ASA is connected to a remote user on its outside interface. The user’s computer will run Windows 7. Let’s get started shall we?

1.ASA Configuration

There are a number of requirements when we work with certificates. First of all we need to configure the correct time, date, assign a hostname and domain name:

ciscoasa(config)# clock set 13:48:00 10 Dec 2014

The clock command will work but using NTP to keep your time synchronized would be better. Let’s configure a hostname:

ciscoasa(config)# hostname ASA1
ASA1(config)#

I’ll call my device “ASA1”. Now we configure a domain name:

ASA1(config)# domain-name NETWORKLESSONS.LOCAL

The domain name will be “NETWORKLESSONS.LOCAL”.

The FQDN (Fully Qualified Domain Name) of the ASA is now ASA1.NETWORKLESSONS.LOCAL. When a remote user opens the web browser they need to use the FQDN to reach the ASA. If you use the IP address you will still get a certificate error!

In PKI (Public Key Infrastructure) we need to have keys…a public and private key. When we generate a RSA key it will automatically generate these two keys. The public key can be shared with anyone and is used to encrypt or sign messages. Here’s how to generate the keys:

ASA1(config)# crypto key generate rsa label MY_RSA_KEY modulus 1024
INFO: The name for the keys will be: MY_RSA_KEY
Keypair generation process begin. Please wait...

The key pair is called “MY_RSA_KEY”. You can see them here:

ASA1(config)# show crypto key mypubkey rsa | begin MY_RSA_KEY
Key name: MY_RSA_KEY
 Usage: General Purpose Key
 Modulus Size (bits): 1024
 Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ac99a2 
  2fc2907a 1e86ddf4 503dc102 72611d80 77ed5762 a857b297 ee609520 469c2dbe 
  f50c5ce1 ac39cba1 998f9504 93f8bfbd ddfaadf7 0cc1f322 f20a24b0 db7fd9e5 
  61a024d1 9f6f5380 562e7848 017e0f88 167732c5 aef50f80 e6431420 0745b9f4 
  9217f9df 31ca5a2f 05fe6af6 efb388d4 24a22355 7112458f c20f022f 7f020301 
  0001

We now have to create a “trustpoint”. The trustpoint is a container where certificates are stored. This is where we configure parameters like the FQDN, subject name, keypair, etc:

ASA1(config)# crypto ca trustpoint SELF_TRUSTPOINT
ASA1(config-ca-trustpoint)# enrollment self
ASA1(config-ca-trustpoint)# fqdn ASA1.NETWORKLESSONS.LOCAL
ASA1(config-ca-trustpoint)# subject-name CN=ASA1.NETWORKLESSONS.LOCAL
ASA1(config-ca-trustpoint)# keypair MY_RSA_KEY

The trustpoint is called “SELF_TRUSTPOINT” and the enrollment self command means that the ASA will sign its own certificates. The certificate will be assigned to ASA1.NETWORKLESSONS.LOCAL. We will use the RSA keypair that we just generated. We can now enroll the actual certificate:

ASA1(config)# crypto ca enroll SELF_TRUSTPOINT

% The fully-qualified domain name in the certificate will be: ASA1.NETWORKLESSONS.LOCAL

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes

The certificate is now enrolled. We can see it here:

ASA1(config)# show crypto ca certificates 
Certificate
  Status: Available
  Certificate Serial Number: 370d8754
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
    hostname=ASA1.NETWORKLESSONS.LOCAL
    cn=ASA1.NETWORKLESSONS.LOCAL
  Subject Name:
    hostname=ASA1.NETWORKLESSONS.LOCAL
    cn=ASA1.NETWORKLESSONS.LOCAL
  Validity Date: 
    start date: 14:03:52 UTC Dec 10 2014
    end   date: 14:03:52 UTC Dec 7 2024
  Associated Trustpoints: SELF_TRUSTPOINT

The Issuer name (this is the CA) is the same as the Subject name because the ASA signed its own certificate. The certificate is ready but we still have to enable the trustpoint on the outside interface (where the SSL users terminate):

ASA1(config)# ssl trust-point SELF_TRUSTPOINT outside

We can now export the certificate so that we can import it on the user’s computer:

ASA1(config)# crypto ca export SELF_TRUSTPOINT identity-certificate 

The PEM encoded identity certificate follows:
-----BEGIN CERTIFICATE-----
MIICEzCCAXygAwIBAgIENw2HVDANBgkqhkiG9w0BAQUFADBOMSIwIAYDVQQDExlB
U0ExLk5FVFdPUktMRVNTT05TLkxPQ0FMMSgwJgYJKoZIhvcNAQkCFhlBU0ExLk5F
VFdPUktMRVNTT05TLkxPQ0FMMB4XDTE0MTIxMDE0MDM1MloXDTI0MTIwNzE0MDM1
MlowTjEiMCAGA1UEAxMZQVNBMS5ORVRXT1JLTEVTU09OUy5MT0NBTDEoMCYGCSqG
SIb3DQEJAhYZQVNBMS5ORVRXT1JLTEVTU09OUy5MT0NBTDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArJmiL8KQeh6G3fRQPcECcmEdgHftV2KoV7KX7mCVIEac
Lb71DFzhrDnLoZmPlQST+L+93fqt9wzB8yLyCiSw23/Z5WGgJNGfb1OAVi54SAF+
D4gWdzLFrvUPgOZDFCAHRbn0khf53zHKWi8F/mr277OI1CSiI1VxEkWPwg8CL38C
AwEAATANBgkqhkiG9w0BAQUFAAOBgQBSKiK9wkb5FEd/XnhOO3firGua5yqHF1JN
cDqav7FSJa5o4biBHjYjzy24uvDPPbdXVplIWSE/lHGb9kLrOCF2SN4fY+tCEzST
QqwAWrJnXDpolGViksdNwIjPuJSzoGeC9jLHFhWVM1sPBQeoHX9D9PSD0G0K8qs4
uzrlJWfMqg==
-----END CERTIFICATE-----

Copy and paste this in a text editor entirely, including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Save the file with a .pem extension. My file is called cert.pem.

2.Client Configuration

We are now ready to import the certificate on the user’s computer. I’ll be using Windows 7 for this. Click on the Start button, click on Run and enter “certmgr.msc”. This will open the certificate manager and you will see the following screen:

certmgr

Here’s where you can manage all certificate on your Windows 7 computer. The certificate from the ASA should be imported in the Trusted Root Certification Authorities:

certmgr import certificate

Use a right-mouse click on Trusted Root Certification Authorities, select All Tasks and then choose Import. You will see the following screen:

certmgr welcome import certificate

Click on Next and you will see this screen:

certmgr certificate import wizard

Select the cert.pem file and click Next. Here’s what you will see:

certmgr certificate import wizard store

Make sure you have selected the Trusted Root Certification Authorities or the certificate will end up in the wrong folder. Click Next to continue and this is what you get:

certmgr certificate import wizard complete

After the import has completed, click Finish. You will receive a warning:

certmgr security warning

The security warning asks us if we really want to install the certificate…sure we do! Click Yes to continue and it will be done:

certmgr import succesful

Click OK to finish this and you will see the certificate in the overview:

certmgr asa certificate

Great, the certificate has been imported. Now we need to make sure that we access the ASA using its FQDN (ASA1.NETWORKLESSONS.LOCAL) and not by its IP address. If you don’t have a DNS server then you can change your hosts file so that Windows 7 knows how to reach the FQDN. Click on Start, Run and then enter this:

notepad c:windowssystem32driversetchosts

Don’t just hit ENTER but use CTRL+SHIFT+ENTER. This will run the command above with administrator rights. If you don’t, you will be unable to save the hosts file.

You can add a line like this:

10.10.10.1		ASA1.NETWORKLESSONS.LOCAL

Save the file and exit notepad. Whenever we try to reach ASA1.NETWORKLESSONS.LOCAL, Windows 7 knows that it is reachable on IP address 10.10.10.1. Open your web browser now and enter “HTTPS://ASA1.NETWORKLESSONS.LOCAL” as the URL. This is what you will see:

Cisco ASA https certificate

The web browser now trusts the certificate, it doesn’t show us any certificate errors anymore!

This method works but it might be cumbersome if you have many remote users to support. In another lesson we will take a look how we can request a certificate from a trusted CA so that you don’t have to import the certificate manually on all your user computers.

For now, I hope this lesson has been useful to understand the ASA’s self-signing option. If you have any questions just leave a comment

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more