Thanks, Tyson.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Tyson Scott
Sent: 26 August 2010 07:08 AM
To: 'Mack, David A (Dave)'; 'OSL Security'
Subject: Re: [OSL | CCIE_Security] Digital Cert "Lifeline"
I am not sure of a good document but the following always helps me if I
can't remember an option on the ASA show run all <what I want to see> And
then if you are not sure do a crypto map 1 1 set ? to see what is most
likely needed
ASA1(config)# crypto map 1 1 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection
based
on this entry
inheritance Specify inheritance(data or acl rule) to be used
while
initiating a connection based on this entry
nat-t-disable Disable nat-t negotiation for connections based on
this
entry
peer Set IP address of peer
pfs Specify pfs settings
phase1-mode Specify mode(main or aggressive) to be used while
initiating a connection based on this entry
reverse-route Enable reverse route injection for connections based
on
this entry
security-association Security association duration
transform-set Specify list of transform sets in priority order
trustpoint Specify trustpoint that defines the certificate to
be
used while initiating a connection based on this
entry ASA1(config)# sh run all tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group DefaultRAGroup type remote-access tunnel-group DefaultRAGroup
ipsec-attributes no pre-shared-key peer-id-validate req no chain no
trust-point isakmp keepalive threshold 300 retry 2 no radius-sdi-xauth
isakmp ikev1-user-authentication xauth ASA1(config)#
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr.
Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Mack, David
A (Dave)
Sent: Wednesday, August 25, 2010 10:37 PM
To: OSL Security
Subject: [OSL | CCIE_Security] Digital Cert "Lifeline"
Hello All!
As I work through my labs, I am reminded time and again that I can't
memorize everything. I prefer to use memory since it much faster that CCO,
but there is only so much that I can keep in my head at one time. For many
topics, I fall back to CCO to point me in the right direction and provide a
sanity check. One topic that I have found that not only CCO, but even the
best books out there don't cover well is IPSec VPNs with Digital Certs for
Authentication (and Authorization). For the most part they cover PSKs and
then wave hands about Certs. Perhaps some of the workbooks cover it as part
of the solutions for a given task, but then it is buried in a lab someplace.
So my question is, does anyone know where to find in the config guides,
examples, or feature guides a "lifeline" for the following scenarios with
only the docs we are allowed in the lab?
Digital Certs (VPN Configuration only. IOS PKI server and ASA/IOS clients
are easily found)
ASA
Remote Access
Lan to Lan
IOS
Remote Access
Lan to Lan
My frustration comes from trying to configue L2L between 2 ASAs and trying
to find where in writing I am told to configure a trustpoint under both the
Crypto-map and tunnel-group!
TIA!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
