I was working on an SRX100B Firewall yesterday, and needed to be able to ping the outside interface.
Solution
Note: You can quickly enable ping on a physical interface from CLI like so;
[box] set security zone security-zone trust interface ge-0/0/0 host-inbound-traffic system services ping
[/box]
1. Log into the web console of the Juniper.
2. Navigate to Security > Zones/Screen > Select the ‘Untrust’ Zone > Edit > Host inbound traffic – Interface > Under Interface services add in ‘ping’ > OK.
Note: To allow pinging of the inside interface select the trusted zone.
3. Then to save the change click Action > Commit.
Related Articles, References, Credits, or External Links
Assuming you already have web management enabled, and you want to access it from the outside (the untrusted zone).
Solution
1. Log into the web console of the Juniper.
2. Navigate to Security > Zones/Screen > Select the ‘Untrust’ Zone > Edit > Host inbound traffic – Interface > Select the Outside interface > Under Interface services add in ‘http’ > OK.
3. Then to save the change click Action > Commit.
4. Test Externally.
Related Articles, References, Credits, or External Links
A client asked me how to do this, so off I went to the test bench to work it out.
Note: I’m this example In going to submit the request to, and issue the certificate from, my own windows domain certificate authority, you would send your request to a third party certificate authority, here’s a direct link to the certificate type you require. To use your own CA every client connecting to the ASA would need to trust this CA.
Solution
Certificates are date specific, so we need to make sure your firewall knows the correct date and time.
1. Connect to the ASA via ASDM > Configuration > Device Setup > System Time > Set the time and time zone correctly.
Note: As shown, from command line simply enter “show clock”.
2. Configuration > Device Management > Certificate Management > Identity Certificates > Add > New > Supply a key pair name > Generate Now.
Note: If using Digicert change the Key Size to 2048 or you will see this error, when you attempt to get your certificate.
Something is wrong
The CSR uses an unsupported key size, please generate a new CSR with a key size of at least 2048 bits.
3. Select > Set each attribute, and add it one by one (as shown) > OK.
4. Advanced > Set the FQDN to the SAME name you entered for the CN in step 3 > OK > Add Certificate.
5. Choose a location to save the certificate request.
6. Locate and open the certificate request and it should look something like this.
Note: This is the information your certificate vendor will require.
7. Once your request had been processed the certification authority should send you a certificate. (Note: some vendors may send you a text file that you need to rename from filename.txt to filename.cer before it will look like this).
8. With the certificate open (as above) > Certificate path > Select the the Issuing Certificate Authority > Copy to File.
Note: You need to import the root certificates, and depending on the vendor, any intermediate certificates, I’ve shown an example from two major vendors to illustrate.
9. Select “Base-64 encoded…” > Next.
10. Save the cert somewhere you can find it.
11. Open it with notepad, and it should look like this > Select ALL the text.
12. Back at the ASDM > Configuration > Device Management > Certificate Management > CA Certificates > Add > Paste certificate in PEM format > Paste in the text > Install Certificate.
13. Repeat the process for any other RootCA or Intermediate Certificates. Then you will need to go back to step 8 and export the web certificate itself, (i.e. in this case select vpn.petenetlive.net and export that to file, and copy that from notepad to the clipboard).
14. Back in the ASDM this time you will need to install the Identity Certificate, (this is the one you paid for!) > Select the pending request from earlier > Install > Paste in the text > Install Certificate > Apply.
15. To enable the certificate on the outside interface > Configuration > Device Management > Advanced > SSL Settings > outside > Edit > Select the new one from the list > OK > Apply.
16. Note: If you were configuring your AnyConnect VPN’s later this is the point in the setup, where you would select the new certificate.
17. Make sure you can resolve the name that’s on the CN of your certificate and you can reach it from a client machine.
18. Now you should be able to connect without certificate warnings.
19. Don’t forget to save the settings on your ASA (File > Save Running Configuration to Flash).
Related Articles, References, Credits, or External Links
The newest versions of the AnyConnect client now show you the following;
If you are seeing this you’re using the (default) self signed certificate, or you connected to an IP address rather than the FQDN. But unlike before, you can now ‘lower’ the security so it does not warn you every time.
Solution
1. From the warning screen (shown above) select ‘Change Settings…’.
2. Untick the ‘Block connections to untrusted servers’ option.
Or if you are on OSX
3. Now when you connect, you get the option of suppressing the warnings for this VPN connection.
Related Articles, References, Credits, or External Links