Cisco ASA 5505 User Manual
Page 1388
64-36
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 64 Configuring IPsec and ISAKMP
Supporting the Nokia VPN Client
Figure 64-5
Nokia 92xx Communicator Service Requirement
To support the Nokia VPN client, perform the following step on the ASA:
•
Enable CRACK authentication using the crypto isakmp policy priority authentication command
with the crack keyword in global configuration mode. For example:
hostname(config)# crypto isakmp policy 2
hostname(config-isakmp-policy)# authentication crack
If you are using digital certificates for client authentication, perform the following additional steps:
Step 1
Configure the trustpoint and remove the requirement for a fully qualified domain name. The trustpoint
might be NSSM or some other CA. In this example, the trustpoint is named CompanyVPNCA:
hostname(config)# crypto ca trustpoint CompanyVPNCA
hostname(config-ca-trustpoint)# fqdn none
Step 2
To configure the identity of the ISAKMP peer, perform one of the following steps:
•
Use the crypto isakmp identity command with the hostname keyword. For example:
hostname(config)# crypto isakmp identity hostname
•
Use the crypto isakmp identity command with the auto keyword to configure the identity to be
automatically determined from the connection type. For example:
hostname(config)# crypto isakmp identity auto
Note
If you use the crypto isakmp identity auto command, you must be sure that the DN attribute
order in the client certificate is CN, OU, O, C, St, L.
132777
Nokia SSM
Web server
Internet
Operator
mobile
network
Telecommuters
SSM server
and database
SSM
enrollment
gateway
SSM
management
station
RADIUS or
LDAP server
SAP
database
Corporate
Corporate
Web services
Windows Clients/
Laptop Policy
Mobile Devices/
Mobile Devices
Policy
DMZ
Firewall/
VPN
gateway
Remote Access