Hi,
You need ay type of certificate which allows you to generate
certificates, like Root, CA, Sub-CA, etc. ASA-CX is basically the Ironport
platform code, which runs on the ASA in hardware for bigger platforms or
software in lower platforms. I9m not sure if it explicitly tells you what
type of certificate you need in the documentation (I9m sure it tells you
in the IronPort knowledge base), but it tells you implicitly based on ten
behaviour/functionality.
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
On 02/05/14 08:17, "Carlos G Mendioroz" <tron_at_huapi.ba.ar> wrote:
>Cristian,
>do you have a link to a document that describes this procedure ?
>That youd need an RA certificate for the ASA, right ? Those should be
>expensive I guess :)
>
>TIA,
>-Carlos
>
>Cristian Matei @ 01/05/2014 17:37 -0300 dixit:
>> Hi,
>>
>> If you speak about ASA-CX module, if based on policies the ASA decides
>>to
>> decrypt for inspection the HTTPS session, what ends up happening is that
>> there will be two SSL/TLS tunnel: one between client and ASA, one
>>between
>> ASA and server. The interesting part is how do you fix the possible
>> certificate issues; the ASA needs a Root Type of certificate because
>>what
>> it does is that it gets the certificate from the server and
>> builds/generates a certificate on-the-fly to match the server9s
>> certificate attributes. So from the client perspective, the only
>> difference between the HTTPS session being decrypted or not, is the
>> server9s certificate issuer: if session is decrypted by the ASA, the
>> server9s certificate issuer will be ASA.
>>
>> Regards,
>> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
>> cmatei_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>>
>>
>>
>> On 01/05/14 15:31, "R.B. Kumar" <seekumarin_at_gmail.com> wrote:
>>
>>> Hi Experts- I am curious to understand how the SSL/HTTPS inspection is
>>> designed to be handled in Cisco ASA Firewall.
>>>
>>> What all I know is that, for SSL inspection the firewall has to
>>>de-crypt
>>> and again encrypt the traffic passing thru the firewall. Does this
>>>require
>>> the Server's Private key need to be imported into the firewall for
>>> De-cryption and Public key for encrypting?
>>>
>>>
>>>
>>> Thanks in advance
>>>
>>> RBK
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
>--
>Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
Blogs and organic groups at http://www.ccie.net
Received on Fri May 02 2014 - 08:24:48 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 13:43:09 ART