Home > Articles > Cisco Network Technology > Network Administration & Support > Configuring the Cisco PIX Firewall for CA Site-to-Site

Configuring the Cisco PIX Firewall for CA Site-to-Site

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Dec 28, 2001.

Contents

  1. Configure CA Support Tasks
  2. Task 1: Prepare for IPSec
  3. PIX CA Support Overview
  4. Task 2: Configure CA Support
  5. Task 3: Configure IKE
  6. Task 4: Configure IPSec
  7. Task 5: Test and Verify VPN Configuration
  8. Summary
  9. Review Questions

Chapter Description

This sample chapter explains how to configure Cisco Secure PIX Firewall certificate authority (CA) support for Internet Protocol Security (IPSec). After presenting an overview of the configuration process, the chapter shows you each major step of the configuration, including support tasks, IKE, and IPSec.

From the Book

Cisco Secure Virtual Private Networks

Cisco Secure Virtual Private Networks

$50.00

Task 2: Configure CA Support

Configuring PIX Firewall CA support requires careful attention for successful implementation. Having a detailed plan will lessen the chances of improper configuration. Some planning steps and their associated commands follow:

Step 1

Manage Flash memory usage (optional)—CA certificates, CRLs, and RSA key pairs might use up a significant amount of Flash memory space and might need to be monitored.

Step 2

Configure the PIX Firewall's time and date— The PIX Firewall must have an accurate time and date to enroll with a CA server.

Step 3

Configure the PIX Firewall's host name and domain name—The host name and domain name are required to associate the fully qualified domain name (FQDN) with the keys and certificates used by IPSec.

Step 4

Generate RSA signature key pairs—The RSA signature key pairs are used to sign and encrypt IKE key management messages used to obtain a certificate.

Step 5

Declare a CA—Specify the nickname and IP address of the CA.

Step 6

Configure CA communication parameters—Specify CA, RA, and retry parameters.

Step 7

Authenticate the CA—Obtain the CA's public key and certificate.

Step 8

Request signed certificates—Request signed certificates from your CA for all of your PIX Firewall's RSA key pairs.

Step 9

Save the configuration—Save the configuration to Flash memory.

Step 10

Verify CA support configuration—Verify CA support configuration with various show commands.

Step 11

Monitor and maintain CA interoperability (optional)—Delete certificates and update CRLs.

Step 1: Manage Flash Memory Usage (Optional)

In some cases, storing certificates and CRLs locally will not present a problem. However, in other cases, memory might become an issue—particularly if your CA supports an RA and a large number of CRLs are stored on your PIX Firewall. A PIX Firewall stores the following types of certificates:

  • RSA signature key pairs

  • Its own certificate

  • The CA's certificate

  • Two RA certificates (only if the CA supports RA)

The PIX Firewall stores the following numbers of CRLs:

  • One, if the CA does not support an RA

  • Multiple, if the CA supports an RA

Step 2: Set the PIX Firewall's Date and Time

Ensure that the PIX Firewall's time and date have been accurately set with the show clock command. The clock must be accurately set before generating RSA key pairs and enrolling with the CA server because the keys and certificates are time-sensitive.

To set the PIX Firewall's time and date, use the clock set configuration command. The command syntax is as follows:

clock set hh:mm:ss day month year
clock set hh:mm:ss month day year

hh:mm:ss

Current time in hours (military format), minutes, and seconds

day

The current day of the month, for example, 1

month

The current month expressed as the first three characters of the month, for example, apr for April

year

The current year expressed as four digits, for example, 2001

The following example sets the time to one second before midnight, December 31, 2000:

PIX1(config)# clock set 23:59:59 31 dec 2000

Cisco's PKI protocol uses the clock to make sure that a CRL is not expired. Otherwise, the CA might reject or allow certificates based on an incorrect time stamp.

NOTE

The lifetime of a certificate and the CRL is checked in GMT time. If you are using IPSec with certificates, set the PIX Firewall clock to GMT time to ensure that CRL checking works correctly.

Step 3: Configure the PIX Firewall's Host Name and Domain Name

You must configure the PIX Firewall's host name and IP domain name if this has not already been done. This is required because the PIX Firewall assigns a FQDN to the keys and certificates used by IPSec, and the FQDN is based on the host name and IP domain name you assign to the PIX Firewall. For example, a certificate is named "pix1.xyz.com" based on a PIX Firewall host name of "pix1" and a PIX Firewall IP domain name of "xyz.com."

To configure the PIX Firewall's host name and IP domain name, there are two commands to use. To configure the PIX Firewall's host name, use the following command:

hostname newname

To configure the PIX Firewall's IP domain name, use the following command:

domain-name name

Step 4: Generate RSA Key Pairs

RSA key pairs are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your PIX Firewall.

To generate an RSA key pair, enter the following command in configuration mode:

ca generate rsa {key | specialkey} key_modulus_size

key

This specifies that one general purpose RSA key pair will be generated.

specialkey

This specifies that two special purpose RSA key pairs will be generated instead of one general purpose key.

key_modulus_size

The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits might cause key generation to take a few minutes, but it increases key entropy or life.

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

In the following example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 512.

pixfirewall(config)#ca generate rsa key 512

Step 5: Declare a CA

Declare one CA to be used by your PIX Firewall with the ca identity command in configuration mode. You can also specify the location of the CA server's CGI script and the LDAP IP address, if used. The command syntax is as follows:

ca identity ca_nickname ca_ipaddress [:ca_script_location] [ldap_ip address]

ca_nickname

The CA's name. Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.

ca_ipaddress

The CA's IP address.

:ca_script_location

The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command.

ldap_ip address

(Optional) Specify the IP address of the LDAP server. By default, querying a certificate or a CRL is done with Cisco's PKI protocol. If the CA supports LDAP, query functions can also use LDAP.

An example of entering a ca identity command is as follows:

pixfirewall(config)#ca identity labca 172.30.1.51

Step 6: Configure CA Communication Parameters

Configure CA communication parameters with the ca configure command in configuration mode. You can use the command to indicate whether to contact the CA or an RA to obtain a certificate. Use different parameters for each type of supported CA. The command syntax is as follows:

ca configure ca_nickname {ca | ra} retry_period retry_count [crloptional]

ca_nickname

The CA's name. Use the nickname entered with the ca identity command.

ca | ra

Indicates whether to contact the CA or RA when using the ca configure command. Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.

retry_period

Specifies the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the firewall retries every minute.

retry_count

Specifies how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA for the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.

crloptional

Allows other peers' certificates to be accepted by your PIX Firewall even if the appropriate CRL is not accessible to your PIX Firewall. The default is without crloptional.

An example of defining VeriSign CA server-related commands is as follows. The IP address of onsiteipsec.verisign.com server is 172.31.1.50.

pixfirewall(config)#ca identity vsec.cisco.com 172.31.1.50
pixfirewall(config)#ca configure vsec.cisco.com ca 1 20 crloptional

Note that the CA mode is specified.

An example of defining a Baltimore or an Entrust CA server is as follows. The IP address of the CA server is 172.30.1.51.

pixfirewall(config)#ca identity labca 172.30.1.51 172.30.1.51
pixfirewall(config)#ca configure labca ra 1 20 crloptional

The second IP address is for an LDAP query server running on the same host. Note that the RA mode is specified.

An example of defining a Microsoft Windows 2000 CA is as follows:

pixfirewall(config)#ca identity labca 172.30.1.51:/certsrv/mscep/mscep.dll
pixfirewall(config)#ca configure labca ra 1 20 crloptional

Step 7: Authenticate the CA

Authenticate the CA to verify that it is legitimate by obtaining its public key and its certificate with the ca authenticate command in configuration mode. After entering the command, manually authenticate the CA's public key by contacting the CA administrator to compare the CA certificate's fingerprint. An RA, if used (as in the Entrust CA), acts as a proxy for a CA. The command syntax is as follows:

ca authenticate ca_nickname [fingerprint]

ca_nickname

The CA's name. Use the nickname entered with the ca identity command.

fingerprint

A key consisting of alphanumeric characters the PIX Firewall uses to authenticate the CA's certificate. The fingerprint is optional and is used to authenticate the CA's public key within its certificate. The PIX Firewall discards the CA certificate if the fingerprint that you included in the command statement is not equal to the fingerprint within the CA's certificate.

Depending on the CA you are using, you might need to ask your local CA administrator for this fingerprint.

You also have the option to authenticate the public key manually by comparing the two fingerprints after you receive the CA's certificate, rather than entering it within the command statement.

An example of authenticating a CA is as follows: 

pixfirewall(config)#ca authenticate labca

The certificate has the following attributes:

Fingerprint: 93700c31 4853ec4a ded81400 43d3c82c

Step 8: Request Signed Certificates

Request signed certificates from your CA for all your PIX Firewall's RSA key pairs using the ca enroll command. Before entering this command, have your CA administrator authenticate your PIX Firewall manually before granting its certificates. The command syntax is as follows:

ca enroll ca_nickname challenge_password [serial] [ipaddress]

ca_nickname

The CA's name. Use the nickname entered with the ca identity command.

challenge_password

A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.

serial

Specifies the PIX Firewall's serial number (optional).

ipaddress

The PIX Firewall's IP address (optional).

The ca enroll command requests certificates from the CA for all your PIX Firewall's RSA key pairs. This task is also known as enrolling with the CA.

During the enrollment process, you are prompted for a challenge password that can be used by the CA administrator to validate your identity. Do not forget the password you use. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when the ca enroll command is issued.)

Your PIX Firewall needs a signed certificate from the CA for each of your PIX Firewall's RSA key pairs. If you already have a certificate for your keys, you will not be able to complete this command; instead, you will be prompted to remove the existing certificate first.

If you want to cancel the current enrollment request, use the no ca enroll command.

An example of authenticating a CA is as follows:

pixfirewall(config)#ca enroll labca mypassword1234567

The argument mypassword1234567 in the example is a password, which is not saved with the configuration.

NOTE

The password is required if your certificate needs to be revoked, so it is crucial that you remember this password. Note it and store it in a safe place.

The ca enroll command requests as many certificates as there are RSA key pairs. You need to perform this command only once, even if you have special usage RSA key pairs.

NOTE

If your PIX Firewall reboots after you issued the ca enroll command but before you received the certificates, you must reissue the command and notify the CA administrator.

Step 9: Save the Configuration

Save your configuration with the ca save all and write memory commands.

  • The ca save all command allows you to save the PIX Firewall's RSA key pairs; the CA, the RA, and the PIX Firewall's certificates; and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall's Flash memory. The ca save command itself is not saved with the PIX Firewall configuration between reloads.

  • The write memory command stores current CA configuration in Flash memory.

Step 10: Verify CA Support Configuration

Use the show ca identity command to view the current CA identity settings stored in RAM.

Use the show ca configure command to view CA communication parameter settings.

Use the show ca certificate command to verify that the enrollment process was successful and to view PIX Firewall, CA, and RA certificates.

Use the show ca mypubkey rsa command to view your RSA key pairs. Example 7-1 displays sample output from the show ca mypubkey rsa command.

Example 7-1 show ca mypubkey rsa Command Output

% Key pair was generated at: 15:34:55 Jan 01 2000

Key name: labca.cisco.com

Usage: General Purpose Key

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d

6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf

6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001.

Step 11: Monitor and Maintain CA Support

The following steps are optional, depending on your particular requirements:

  • Request a CRL

  • Delete PIX Firewall's RSA keys and certificates

  • Delete CA data from Flash memory

Request a CRL

Request a CRL at any time with the ca crl request command. The PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (unexpired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent by an IKE exchange. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not accept peers' certificates.

Delete PIX Firewall's RSA Keys and Certificates

Delete all your PIX Firewall's RSA keys with the ca zeroize rsa command. The command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:

Use the no ca identity command to manually remove the PIX Firewall's certificates from the configuration. This deletes all the certificates issued by the CA.

Ask the CA administrator to revoke your PIX Firewall's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall's certificates using the crypto ca enroll command.

Delete CA Data from Flash Memory

The no ca save command removes the PIX Firewall's RSA key pairs; the CA, the RA, and the PIX Firewall's certificates; and the CA's CRLs from the persistent data file in Flash memory.

Example of a CA Server Configuration

Example 7-2 shows a sample of CA commands for an Entrust CA server.

Example 7-2 CA Commands for an Entrust CA Server

pix1# write terminal

!

hostname Pix1

domain-name labca.cisco.com

!

ca identity labca 172.30.1.51:cgi-bin/pkiclient.exe 172.30.1.51

ca configure labca ra 1 100 crloptional

NOTE

You must use the show ca mypubkey rsa command to view your RSA key pairs. You must use the show ca certificate command to view PIX Firewall, CA, and RA certificates.

5. Task 3: Configure IKE | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020