ASA Certificate Maps & tunnel-group-map configuration

wendalwendal
in CCIE Security Technical

Hey all,

I've got a L2L VPN set up between an ASA and Router, using rsa-sig authentication. For reference, my using the layout as depicted in the "Remote Access VPN" labs in Workbook Vol I. My tunnel comes up fine, using rsa-sig and traffic between 136.1.121.0/24 (behind ASA) and 136.1.23.0/24 (behind R3) is protected.

On the ASA I've tried to test the certificate map & tunnel-group-map feature but my tunnel still comes up when I expect my entries in the certificate map will filter the peer and prevent the tunnel from coming up. Here are my related configurations.

On the ASA:

tunnel-group 136.1.123.3 type ipsec-l2l
tunnel-group 136.1.123.3 ipsec-attributes
 trust-point IOSCA

tunnel-group-map enable rules
tunnel-group-map CERT-MAP 10 136.1.123.3

These are the 3 different options I have tried with the certificate map configuration, but none works:

crypto ca certificate map CERT-MAP 10

 subject-name attr cn co ccie.net



crypto ca certificate map CERT-MAP 10

 subject-name co ccie.net



crypto ca certificate map CERT-MAP 10

 issuer-name eq IOS

Can anyone point out where in my configuration I need to look to fix the error. Am I getting the syntax wrong? How come my tunnel keeps coming up when the certificate map has entries that dont match what's in the peer's certificate.

Here are the certificates from both peers too:

From Router R3

R3#show crypto ca certif
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer:
    cn=IOSCA
  Subject:
    Name: R3.ccie.com
    hostname=R3.ccie.com
  Validity Date:
    start date: 12:59:36 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA
  Storage: nvram:IOSCA#3.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=IOSCA
  Subject:
    cn=IOSCA
  Validity Date:
    start date: 12:52:18 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA
  Storage: nvram:IOSCA#1CA.cer

R3#

 

From the ASA:

ASA1# sh crypto ca certif
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    cn=IOSCA
  Subject Name:
    cn=IOSCA
  Validity Date:
    start date: 12:52:18 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA

Certificate
  Status: Available
  Certificate Serial Number: 04
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    cn=IOSCA
  Subject Name:
    hostname=ASA1.ccie.com
  Validity Date:
    start date: 15:59:49 PST Nov 2 2010
    end   date: 12:52:18 PST Nov 12 2010
  Associated Trustpoints: IOSCA

 

Greatly appreciate the help

Wendal

 

 

 

 

 

 

· Share on FacebookShare on Twitter
Sign In or Register to comment.