Wednesday, January 18, 2012

SSL Wildcard Certificate Installation on Cisco ASA 8.x

After searching high and low for instructions, I finally found this link that was most useful:

http://serverfault.com/questions/32443/any-problems-usinga-godaddy-ssl-certificate-on-a-cisco-asa-firewall

Here is the solution taken from the link above:

I have a GoDaddy (standard, not deluxe) wildcard certificate that I use on my ASA 5510 for ASDM access. ASDM says that "SSL parameters affect both ASDM and SSL VPN access," so if it works for me, it should for you and SSL VPNs.

I did have problems importing a .pem version of my certificate chain. Using a *.pfx (like IIS uses) worked fine.
I grabbed gd_intermediate.crt from https://certs.godaddy.com/Repository.go

In ASDM, Configuration, Device Management, Certificate Management, CA Certificates; click Add, don't change any defaults, install from file, locate the gd_intermediate.crt file.

I also tried loading gd_bundle.crt which some of our certs use and that failed, but since gd_intermediate.crt worked and that's what my wildcard uses, I didn't test any more.

Once the intermediate cert is loaded, go to Identity Certificates (right above CA Certificates) and do something similar (Add, import from file, chose the .pfx file, and enter the password for the .pfx.

Now that the cert is successfully installed, set which interfaces it will be used on. That's under Device Management, Advanced, SSL Settings. Click the interface (probably outside), click Edit, and choose the Trustpoint name of the certificate you added in the last step. Click OK, Apply, and try going to your https://vpn.url and see if it loads the right cert.

Thanks to serverfault.com.
Posted by at No comments:
Labels: , ,

Friday, January 13, 2012

Upgrade Procedure - Cisco Nexus 5000 Switch

I did this on a Nexus 5548. The process was simple - no quirky issues. Our upgrade went from 9.5.0.3 to 9.5.1.3. I had alread established IP connectivity through the management port.

 Remember that the management interface is belongs to the vrf context called "management", by default.

 vrf context management
  ip route 0.0.0.0/0 10.0.3.251
interface mgmt0
  ip address 10.0.1.225/22

 Download the relevant files. I downloaded these two:

 n5000-uk9-kickstart.5.1.3.N1.1.bin
n5000-uk9.5.1.3.N1.1.bin

 Fire up your tftp server. Verify that you have enough space on your bootflash: to hold the new files:

 login: admin
Password:
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php

 Nexus5548-2# dir
        744    Apr 20 02:08:48 2011  license_SSI15100AW7_10.lic
      49152    Apr 20 02:11:45 2011  lost+found/
       1586    Nov 10 11:47:20 2011  mts.log
   25136128    Apr 20 02:01:51 2011  n5000-uk9-kickstart.5.0.3.N1.1b.bin
  188700150    Apr 20 02:02:52 2011  n5000-uk9.5.0.3.N1.1b.bin
       4096    Jan 01 02:05:55 2009  vdc_2/
       4096    Jan 01 02:05:55 2009  vdc_3/
       4096    Jan 01 02:05:55 2009  vdc_4/

 Usage for bootflash://
  331591680 bytes used
 1319313408 bytes free
 1650905088 bytes total

 I had plenty of space. Now tftp the kickstart and image files into the bootflash. Use management as the vrf context!

 Nexus5548-2# copy tftp://10.0.1.227/n5000-uk9-kickstart.5.1.3.N1.1.bin bootflash:n5000-uk9-kickstart.5.1.3.N1.1.bin

 Enter vrf (If no input, current vrf 'default' is considered): management
Trying to connect to tftp server......
Connection to Server Established.
TFTP get operation was successful

 Nexus5548-2# copy tftp://10.0.1.227/n5000-uk9.5.1.3.N1.1.bin bootflash:n5000-uk9.5.1.3.N1.1.bin

 Enter vrf (If no input, current vrf 'default' is considered): management
Trying to connect to tftp server......
Connection to Server Established.
TFTP get operation was successful

 Run the install command on the kickstart file.

 Nexus5548-2# install all kickstart bootflash:n5000-uk9-kickstart.5.1.3.N1.1.bin system bootflash:n5000-uk9.5.1.3.N1.1.bin

 Verifying image bootflash:/n5000-uk9-kickstart.5.1.3.N1.1.bin for boot variable "kickstart".
[####################] 100% -- SUCCESS
Verifying image bootflash:/n5000-uk9.5.1.3.N1.1.bin for boot variable "system".
[####################] 100% -- SUCCESS
Verifying image type.
[####################] 100% -- SUCCESS
Extracting "system" version from image bootflash:/n5000-uk9.5.1.3.N1.1.bin.
[####################] 100% -- SUCCESS
Extracting "kickstart" version from image bootflash:/n5000-uk9-kickstart.5.1.3.N1.1.bin.
[####################] 100% -- SUCCESS
Extracting "bios" version from image bootflash:/n5000-uk9.5.1.3.N1.1.bin.
[####################] 100% -- SUCCESS
Performing module support checks.
[####################] 100% -- SUCCESS
Notifying services about system upgrade.
[####################] 100% -- SUCCESS

 Compatibility check is done:
Module  bootable          Impact  Install-type  Reason
------  --------  --------------  ------------  ------
     1       yes      disruptive         reset  Non-disruptive install not supported if L3 was enabled

 Images will be upgraded according to following table:
Module       Image         Running-Version             New-Version  Upg-Required
------  ----------  ----------------------  ----------------------  ------------
     1      system            5.0(3)N1(1b)             5.1(3)N1(1)           yes
     1   kickstart            5.0(3)N1(1b)             5.1(3)N1(1)           yes
     1        bios      v3.5.0(02/03/2011)      v3.5.0(02/03/2011)            no
     1      SFP-uC                v1.0.0.0                v1.0.0.0            no
     1   power-seq                    v1.0                    v1.0            no
     3   power-seq                    v5.0                    v5.0            no
     1          uC                v1.2.0.1                v1.2.0.1            no

 Switch will be reloaded for disruptive upgrade.

 Do you want to continue with the installation (y/n)?  [n] y

 Install is in progress, please wait.

 Performing runtime checks.
[####################] 100% -- SUCCESS
Setting boot variables.
[####################] 100% -- SUCCESS
Performing configuration copy.
[####################] 100%

 The switch will reboot. Login again to verify that the you are on the new version.

 Nexus 5000 Switch
login: admin
Password:

 Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Nexus5548-2# sh ver
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

 Software
  BIOS:      version 3.5.0
  loader:    version N/A
  kickstart: version 5.1(3)N1(1)
  system:    version 5.1(3)N1(1)
  power-seq: Module 1: version v1.0
  uC:        version v1.2.0.1
  SFP uC:    Module 1: v1.0.0.0
  BIOS compile time:       02/03/2011
  kickstart image file is: bootflash:///n5000-uk9-kickstart.5.1.3.N1.1.bin
  kickstart compile time:  12/6/2011 22:00:00 [12/07/2011 06:30:01]
  system image file is:    bootflash:///n5000-uk9.5.1.3.N1.1.bin
  system compile time:     12/6/2011 22:00:00 [12/07/2011 08:09:44]

 Hardware
  cisco Nexus5548 Chassis ("O2 32X10GE/Modular Universal Platform Supervisor")
  Intel(R) Xeon(R) CPU         with 8263872 kB of memory.
  Processor Board ID JAF1515BBRA

   Device name: Nexus5548-2
  bootflash:    2007040 kB

 Kernel uptime is 0 day(s), 0 hour(s), 3 minute(s), 13 second(s)

 Last reset at 720106 usecs after  Thu Dec 15 20:15:10 2011

   Reason: Disruptive upgrade
  System version: 5.0(3)N1(1b)
  Service:

 plugin
  Core Plugin, Ethernet Plugin

 Nexus5548-2#

That's it!
Posted by at 2 comments:
Labels: ,
Subscribe to: Posts (Atom)