Btw, we have ASA 8.2 out now. Also there is an IPS module for the 5505, but
it does not support all the features (otherwise it would be a really nice
addition to the CCIE Security home lab):
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-525310.html
*Q.* How is the Cisco AIP SSC-5 feature set different from the Cisco AIP
SSM-10, AIP SSM-20, and AIP SSM-40?
*A.* The Cisco AIP SSC-5 software is based on the same IPS software as that
of the Cisco AIP SSM-10, AIP-SSM20, and AIP-SSM40. However, the Cisco AIP
SSC-5 does not support Cisco Global Correlation, Cisco Anomaly Detection,
virtualization, and custom signature support. Customers requiring these
features should consider the Cisco AIP SSM-10, AIP SSM-20, and AIP SSM-40
modules.
And of course we have IPS 7.0 out now as well :)
Regards
Farrukh
On Fri, May 1, 2009 at 10:48 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> Right, I have some good news for anyone interested in this one:
>
> After digging up some information, this is whats going on:
>
> As of ASA Release 8.0.2 for IPSec (8.0.3.4 for SSL) connections if the
> KeyUsage extension is present it must have the Digital Signature bit set.
>
> Option 1: If the ExtendedKeyUsage extension is present it must contain
> one of the
> following for IPsec:
> * id-kp-clientAuth 1.3.6.1.5.5.7.3.2
> * id-kp-ipsecEndSystem 1.3.6.1.5.5.7.3.5
> * id-kp-ipsecTunnel 1.3.6.1.5.5.7.3.6
> * id-kp-ipsecUser 1.3.6.1.5.5.7.3.7
>
> Option 2: You can disable the check in the trustpoint configuration with
> the
> following (the default is "no ignore-ipsec-keyusage" and "no
> ignore-ssl-keyusage") :
> crypto ca trustpoint <trustpointname>
> ignore-ipsec-keyusage
> ignore-ssl-keyusage
>
> Since the new Lab exam has ver 8.x on it, this is one that folks would like
> to keep an eye out for I guess.
>
> HTH a little,
> Sadiq
>
> On Thu, Apr 30, 2009 at 6:12 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> wrote:
>
> > Just to let you guys know... do not use this version of code on the
> > ASA5510 with L2L VPN config with RSA-SIG!! It would keep telling you on
> the
> > debugs that:
> >
> > %ASA-7-717025: Validating certificate chain containing 1 certificate(s).
> > %ASA-7-717029: Identified client certificate within certificate chain.
> > serial number: 1FF247D7000000000110, subject name: hostname=R5.ccie.com<
> http://r5.ccie.com/>
> > .
> > %ASA-7-717030: Found a suitable trustpoint CCIECA to validate
> certificate.
> > %ASA-3-717009: Certificate validation failed. Peer certificate key usage
> is
> > invalid, serial number: 1FF247D7000000000110, subject name: hostname=
> > R5.ccie.com <http://r5.ccie.com/>.
> > %ASA-3-717027: Certificate chain failed validation. Certificate chain is
> > either invalid or not authorized.
> > %ASA-5-713904: Group = R5.ccie.com <http://r5.ccie.com/>, IP =
> 150.1.5.5,
> > Peer Certificate authentication failed: General Error
> >
> > This is all when you have EVERYTHING configured absolutely correct! All i
> > did was downgrade the appliance to 7.2(4) and it works!
> >
> > Does anyone know whats going on here? :-)
> >
> > --
> > CCIE #19963
> >
>
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat May 02 2009 - 09:26:29 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART