cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


168
Views
0
Helpful
2
Replies
Enthusiast

Dual Certs on ASA for VPN

Hi guys,

We already have our ASA (active/failover) configured for AnyConnect VPN on the "outside" interface to support PC AnyConnect VPN users and Cisco 7945G VoIP AnyConnect VPN phones. This is fully functional and operational - no problems.

Now, since we have to move away from SSL TLS1.0 we want to setup new Cisco 8841 VoIP AnyConnect VPN phones on a different external facing interface and apply our own in-house certs. Once the new 8841 phones are operational, we will disable the older SSL TLS 1.0 only phones.

During the ASA csr identity certificate generation, it appears we need to use the IP address of the external interface verses the ASA host name as the ASA host name is already used for the "outside" VPN users/phones. We need to setup a new DNS record as-well.

Anyone have experience with this and can offer any advice? :)

Thank you

Frank

2 REPLIES 2
Highlighted
Enthusiast

UPDATE: For anyone else

UPDATE: For anyone else having this much fun.

Summary - Yes long story short, each interface (or bundle of interfaces) on the ASA can have certs (public or private).

We added the new external interfaces with 2nd ISP address space. Setup external DNS resolution to new interface name - (as a side note, we also implemented redundant interfaces to the external switches to increase failover and redundancy options).

Since we generate our own certificates using Microsoft CA, it was a fun learning experience to get the ASA to accept the private root/Intermediate and id certs; but this is now complete.

Next step is to update the CUCM appliance...

Thanks

Frank

Enthusiast

Ooops, my bad, we don't use

Ooops, my bad, we don't use the CUCM appliance as stated earlier,  I meant to type CUCM vm but the same results regardless.  Anyway, so we imported the certs into CUCM.  On CUCM created a separate Profile, Group, Gateway and Common Phone Profile for each phone.  On the ASA Gateway setup separate Tunnel-Groups for each phone as-well.  Created 2 additional Group Policies to allow individual VPN parameters per phone I.E. TCP verses DTLS.   If you work with VPN phones, you know the users ISP will randomly drop, rate-limit, or throttle UDP packets not meeting the ISPs VoIP requirements - thus the users VPN phone fails to remain operational or never even connects back to the VPN gateway.  The simplest fix is to assign the session to use TCP (not DTLS UDP). Then somehow work with the ISP to allow UDP from the VPN phone.

Dated May 12, 2017 Thanks

Frank