Piotr, Does it mean that the ASA CA server has been implemented as a complementary for it's own webvpn feature? ASA CA server can be also used to generate certificates for any users to authenticate with any other applications other than ASA WebVPN, isn't it?
We need some web service for CA Service. In IOS, we use http server web service not webvpn. But in ASA, we don't use http service rather webvpn web service. Just wondering, why Cisco didn't use http server web service. If I need a CA Server alone for issuing identity certificates, why would I need to run WebVPN? For example, I need a certificate for EAP TLS or EAP FAST authentication, I just need a CA Server not WebVPN. With regards Kings On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]> wrote: > What's the ASA CA purpose? To give out certificate for SSL (clientless and > full client), right? In both cases you need webvpn to be enabled. > > > Regards, > Piotr > > > 2011/9/6 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> Great, that made it work. >> >> But why do we need webvpn to be enabled? Is CA server embedded with WebVPN >> service? >> >> With regards >> Kings >> >> >> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]> wrote: >> >>> Hi Kings, >>> >>> You need WebVPN to be enabled for that. >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2011/9/6 Kingsley Charles <[email protected]> >>> >>>> Hi Piotr >>>> >>>> I don't have webvpn configured? I get the same log message even when I >>>> use IP address. Do we need http server enabled? I tried enabling http >>>> server >>>> too and that didn't work for me. >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> Did you enable webvpn on the outside? >>>>> You can connect using IP address as well. >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi all >>>>>> >>>>>> I have configured the ASA for CA server and when I try to access the >>>>>> enrollment URL, I get the following logs: From the log reference for >>>>>> 710005, >>>>>> I think, the CA server service is not running. >>>>>> >>>>>> I am trying to access enrollment url using the host name >>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to IP >>>>>> address mapping in the host file. I remember, we can only access using >>>>>> hostname not IP address. >>>>>> >>>>>> Any thoughts? >>>>>> >>>>>> *Config* >>>>>> >>>>>> crypto ca server >>>>>> subject-name-default cn=ca >>>>>> smtp from-address [email protected] >>>>>> >>>>>> *Logs* >>>>>> >>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>> outside:10.20.30.43/443 >>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750 to >>>>>> outside:10.20.30.43/443 >>>>>> >>>>>> >>>>>> Snippet from >>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>> 710005 >>>>>> >>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from >>>>>> *source_address/source_port* to *interface_name:dest_address/service* >>>>>> >>>>>> Explanation This message appears when the Cisco ASA does not have >>>>>> a UDP server that services the UDP request. The message can also >>>>>> indicate a >>>>>> TCP packet that does not belong to any session on the Cisco ASA . In >>>>>> addition, this message appears (with the service *snmp*) when the >>>>>> Cisco ASA receives an SNMP request with an empty payload, even if it is >>>>>> from >>>>>> an authorized host. When the service is *snmp*, this message occurs a >>>>>> maximum of 1 time every 10 seconds so that the log receiver is not >>>>>> overwhelmed. >>>>>> >>>>>> Recommended Action In networks that heavily utilize broadcasting >>>>>> services such as DHCP, RIP or NetBios, the frequency of this message can >>>>>> be >>>>>> high. If this message appears in excessive number, it may indicate an >>>>>> attack. >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>> www.PlatinumPlacement.com >>>>>> >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
