Not sure if Cisco documents it anywhere, but here goes.
What happens if you have multiple trustpoints defined on the ASA.
When a certificate is presented to the ASA, the appliance can use ANY trust point configured on the device and will use first one matching provided client type is matching.
You cannot change this behavior, except for specifying different certificate usage:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2124040
You do however have control over which certificate is being SENT to the peers, this is what you configure under tunnel-groups and ssl CLIs.
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2010
(18)
-
▼
January
(8)
- Troubleshooting DMVPN
- DMVPN phase 3 - basic configuration example.
- FWSM - routing considerations or "Why clearing xla...
- ASA/PIX PKI implementation. Mupliple trustpoints c...
- IPsec VPN on Catalyst 6500 or 7600.
- IPsec and VRFs. So who's doing the VRF handoff any...
- EZVPN with certificates. part3
- EZVPN with certificates. part2
-
▼
January
(8)
No comments:
Post a Comment