[OSL | CCIE_Security] ASA certificate map & tunnel-group-map syntax

Sun, 07 Nov 2010 19:41:28 -0800 

Hey all,

I've got a L2L VPN set up between an ASA and a Router (R3), using rsa-sig
authentication. My tunnel comes up fine, using rsa-sig and traffic between
136.1.121.0/24 (behind ASA) and 136.1.23.0/24 (behind R3) is protected.

On the ASA I've tried to test the certificate map & tunnel-group-map feature
but my tunnel still comes up when I expect my entries in the certificate map
will filter the peer and prevent the tunnel from coming up. And I can ping
between the two protected subnets.

Here are my related configurations.

On the ASA:

tunnel-group 136.1.123.3 type ipsec-l2l
tunnel-group 136.1.123.3 ipsec-attributes
 trust-point IOSCA

tunnel-group-map enable rules
tunnel-group-map CERT-MAP 10 136.1.123.3

These are the 3 different options I have tried with the certificate map
configuration, but none works:

crypto ca certificate map CERT-MAP 10
 subject-name attr cn co ccie.net

crypto ca certificate map CERT-MAP 10
 subject-name co ccie.net

crypto ca certificate map CERT-MAP 10
 issuer-name eq IOS

Can anyone point out where in my configuration I need to look to fix the
error. Am I getting the syntax wrong? How come my tunnel keeps coming up
when the certificate map has entries that dont match what's in the peer's
certificate.

Here are the certificates from both peers too:

>From Router R3

R3#show crypto ca certif
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer:
    cn=IOSCA
  Subject:
    Name: R3.ccie.com <http://r3.ccie.com/>
    hostname=R3.ccie.com <http://r3.ccie.com/>
  Validity Date:
    start date: 12:59:36 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA
  Storage: nvram:IOSCA#3.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=IOSCA
  Subject:
    cn=IOSCA
  Validity Date:
    start date: 12:52:18 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA
  Storage: nvram:IOSCA#1CA.cer

R3#



>From the ASA:

ASA1# sh crypto ca certif
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    cn=IOSCA
  Subject Name:
    cn=IOSCA
  Validity Date:
    start date: 12:52:18 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA

Certificate
  Status: Available
  Certificate Serial Number: 04
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    cn=IOSCA
  Subject Name:
    hostname=ASA1.ccie.com <http://asa1.ccie.com/>
  Validity Date:
    start date: 15:59:49 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA



Greatly appreciate the help
Mark

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to