Last active
February 8, 2025 19:33
-
-
Save inntran/665825b58c2700d41dcbd3c6210bf104 to your computer and use it in GitHub Desktop.
Revisions
-
inntran revised this gist
Jan 18, 2018 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,7 +16,7 @@ crypto pki trustpool policy Why IPv6? Cisco routers do AAAA lookup regardless of IPv6 connectivity, and `www.cisco.com` resolves an IPv6 address. 1. Make sure you have DNS servers configured: `Router# show ip dns view` 1. Enable DNS lookup: `Router(config)# ip domain-lookup` 1. Download and import root CA bundle from Cisco to your router: `Router(config)# crypto pki trustpool import clean url http://www.cisco.com/security/pki/trs/ios.p7b` ## IPv4 only? There are couple workarounds when you have a DNS server responding to AAAA records but you do not have IPv6 connectivity. @@ -28,4 +28,4 @@ There are couple workarounds when you have a DNS server responding to AAAA recor * Consider adding free IPv6 connectivity using https://tunnelbroker.net ### Import the CA bundle from flash: `Router(config)# crypto pki trustpool import clean url flash:/ios.p7b` -
Jan 9, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,31 @@ # Background If you ever need to access HTTPS site from a Cisco router running IOS, whether it's the copy command or TR-069 client or DDNS HTTP client, the request won't go through, because the SSL/TLS certificate (chain) provided by the server cannot be validated. # Install the Cisco provided trusted root bundle ## Before you import CA bundle Setup trustpool policy ``` crypto pki trustpool policy cabundle url http://www.cisco.com/security/pki/trs/ios.p7b chain-validation revocation-check none storage flash:/pki/trs ``` ## Having IPv6? Why IPv6? Cisco routers do AAAA lookup regardless of IPv6 connectivity, and `www.cisco.com` resolves an IPv6 address. 1. Make sure you have DNS servers configured: `Router# show ip dns view` 1. Enable DNS lookup: `Router(config)# ip domain-lookup` 1. Download and import root CA bundle from Cisco to your router: `Router(config)# crypto pki trustpool import clean http://www.cisco.com/security/pki/trs/ios.p7b` ## IPv4 only? There are couple workarounds when you have a DNS server responding to AAAA records but you do not have IPv6 connectivity. ### Download the CA bundle * Download `ios.p7b` file from the URL above and upload to your device. * Disable domain-lookup, create `ip host` entry with the IPv4 address of `www.cisco.com`, then issue `copy http` command to download `ios.p7b` file. * Consider adding free IPv6 connectivity using https://tunnelbroker.net ### Import the CA bundle from flash: `Router(config)# crypto pki trustpool import clean flash:/ios.p7b`