Firewalls - Using firewall with a VeriSign CA

Using firewall with a VeriSign CA

This section provides configuration examples showing how to configure interoperability between two firewall units (firewall 1 and 2) for site-to-site using the VeriSign CA server for device enrollment, certificate requests, and digital certificates for the IKE authentication.

Scenario Description

The two VPN peers in the configuration examples are shown to be configured to enroll with VeriSign at the IP address of 209.165.202.130 and to obtain their CA certificates from this CA server. VeriSign is a public CA that issues its CA-signed certificates over the Internet. Once each peer obtains its CA-signed certificate, tunnels can be established between the two VPN peers using digital certificates as the authentication method used during IKE authentication. The peers dynamically authenticate each other using the digital certificates.
VeriSign's actual CA server address differs. The example CA server address is to be used for example purposes only.
For the general procedures to configure the firewall for a CA, see "Using Certification Authorities" in "Basic VPN Configuration." This section provides an example configuration for the specific network illustrated in Figure 5-2.
Perform the following procedures to configure firewall 1 to use a public CA:

Define a host name:
hostname NewYork

Define the domain name:
domain-name example.com

Generate the firewall RSA key pair:
ca generate rsa key 512

This command is not stored in the configuration.

Define VeriSign-related enrollment commands:
ca identity example.com 209.165.202.130
ca configure example.com ca 2 100 crloptional

These commands are stored in the configuration. "2" is the retry period, "100" is the retry count, and the crloptional option disables CRL checking.

Authenticate the CA by obtaining its public key and its certificate:
ca authenticate example.com

This command is not stored in the configuration.

Request signed certificates from the CA for the firewall's RSA key pair. Before entering this command, contact the CA administrator because they will have to authenticate the firewall manually before granting its certificate.
ca enroll example.com abcdef

"abcdef" is a challenge password. This can be anything. This command is not stored in the configuration.

Verify that the enrollment process was successful using the show ca certificate command:
show ca certificate

Save keys and certificates, and the CA commands (except those indicated) in Flash memory:
ca save all
write memory

Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.
Create a net static:
static (inside,outside) 192.168.12.0 192.168.12.0

To configure an IKE policy:
isakmp enable outside
isakmp policy 8 auth rsa-sig

Create a partial access list:
access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

To configure a transform set that defines how the traffic will be protected:
crypto ipsec transform-set strong esp-3des esp-sha-hmac

Define a crypto map:
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address 90
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose 20 set peer 209.165.200.229

Apply the crypto map to the outside interface:
crypto map toSanJose interface outside

Tell the firewall to implicitly permit IPSec traffic:
sysopt connection permit-ipsec

Example 5-3 lists the configuration for firewall 1. firewall default configuration values and certain CA commands are not displayed in configuration listings.
Example 5-3: firewall 1 with Public CA
nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname NewYork domain-name example.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging on interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 209.165.201.8 255.255.255.224 ip address inside 192.168.12.1 255.255.255.0 no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 nat 0 access-list 90 access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0 no rip outside passive no rip outside default rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 209.165.200.227 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set peer 209.165.200.229 crypto map toSanJose 20 set transform-set strong crypto map toSanJose interface outside isakmp enable outside isakmp policy 9 encryption 3des ca identity example.com 209.165.202.130:cgi-bin/pkiclient.exe ca configure example.com ca 1 100 crloptional sysopt connection permit-ipsec telnet timeout 5 terminal width 80

Configuring firewall 2 with a VeriSign CA

The following steps are nearly the same as those in the previous section "Configuring firewall 1 with a VeriSign CA" for configuring firewall 2. The differences are in Steps 1 to 2, and Steps 11 to 13, which are specific for the firewall 2 in this example.

Define a host name:
hostname SanJose

Define the domain name:
domain-name example.com

Generate the firewall RSA key pair:
ca generate rsa key 1024

This command is not stored in the configuration.

Define VeriSign-related enrollment commands:
ca identity example.com 209.165.202.130
ca configure example.com ca 1 20 crloptional

These commands are stored in the configuration. "2" is the retry period, "100" is the retry count, and the crloptional option disables CRL checking.

Authenticate the CA by obtaining its public key and its certificate:
ca authenticate example.com

This command is not stored in the configuration.

Request signed certificates from the CA for the firewall's RSA key pair:
ca enroll example.com abcdef

Before entering this command, contact the CA administrator because they will have to authenticate the firewall manually before granting its certificate.
"abcdef" is a challenge password. This can be anything. This command is not stored in the configuration.

Verify that the enrollment process was successful using the following command:
show ca certificate

Save keys and certificates, and the CA commands (except those indicated) in Flash memory:
ca save all
write memory

Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.

Create a net static:
static (inside,outside) 10.0.0.0 10.0.0.0

To configure an IKE policy:
isakmp enable outside
isakmp policy 8 auth rsa-sig

Create a partial access list:
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0

To configure a transform set that defines how the traffic will be protected:
crypto ipsec transform-set strong esp-3des esp-sha-hmac

Define a crypto map:
crypto map newyork 10 ipsec-isakmp
crypto map newyork 10 match address 80
crypto map newyork 10 set transform-set strong
crypto map newyork 10 set peer 209.165.201.8

Apply the crypto map to the outside interface:
crypto map toSanJose interface outside

Tell the firewall to implicitly permit IPSec traffic:
sysopt connection permit-ipsec

Example 5-4 lists the configuration for firewall 2. firewall default configuration values and certain CA commands are not displayed in a configuration listing.
Example 5-4: firewall 2 CA Configuration
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 perimeter security40 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname SanJose domain-name example.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging on interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu perimeter 1500 ip address outside 209.165.200.229 255.255.255.224 ip address inside 10.0.0.1 255.0.0.0 ip address dmz 192.168.101.1 255.255.255.0 ip address perimeter 192.168.102.1 255.255.255.0 no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address perimeter 0.0.0.0 arp timeout 14400 nat (inside) 0 10.0.0.0 255.0.0.0 0 0 nat 0 access-list 80 access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0 no rip outside passive no rip outside default no rip inside passive no rip inside default no rip dmz passive no rip dmz default no rip perimeter passive no rip perimeter default route outside 0.0.0.0 0.0.0.0 209.165.200.227 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map newyork 10 ipsec-isakmp crypto map newyork 10 match address 80 crypto map newyork 10 set peer 209.165.201.8 crypto map newyork 10 set transform-set strong crypto map newyork interface outside isakmp enable outside isakmp key cisco1234 address 209.165.201.8 netmask 255.255.255.255 isakmp policy 8 encryption 3des ca identity example.com 209.165.202.130:cgi-bin/pkiclient.exe ca configure example.com ca 1 20 crloptional sysopt connection permit-ipsec telnet timeout 5 terminal width 80