Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
2
Replies

Dual Certs on ASA for VPN

fsebera
Level 4
Level 4

‎04-06-2017 01:20 PM - edited ‎03-12-2019 02:11 AM

Hi guys,

We already have our ASA (active/failover) configured for AnyConnect VPN on the "outside" interface to support PC AnyConnect VPN users and Cisco 7945G VoIP AnyConnect VPN phones. This is fully functional and operational - no problems.

Now, since we have to move away from SSL TLS1.0 we want to setup new Cisco 8841 VoIP AnyConnect VPN phones on a different external facing interface and apply our own in-house certs. Once the new 8841 phones are operational, we will disable the older SSL TLS 1.0 only phones.

During the ASA csr identity certificate generation, it appears we need to use the IP address of the external interface verses the ASA host name as the ASA host name is already used for the "outside" VPN users/phones. We need to setup a new DNS record as-well.

Anyone have experience with this and can offer any advice? :)

Thank you

Frank

Labels:
0 Helpful
2 Replies 2

fsebera
Level 4
Level 4

‎05-04-2017 06:10 AM

UPDATE: For anyone else having this much fun.

Summary - Yes long story short, each interface (or bundle of interfaces) on the ASA can have certs (public or private).

We added the new external interfaces with 2nd ISP address space. Setup external DNS resolution to new interface name - (as a side note, we also implemented redundant interfaces to the external switches to increase failover and redundancy options).

Since we generate our own certificates using Microsoft CA, it was a fun learning experience to get the ASA to accept the private root/Intermediate and id certs; but this is now complete.

Next step is to update the CUCM appliance...

Thanks

Frank

0 Helpful

fsebera
Level 4
Level 4
In response to fsebera

‎05-22-2017 01:01 PM

Ooops, my bad, we don't use the CUCM appliance as stated earlier,  I meant to type CUCM vm but the same results regardless.  Anyway, so we imported the certs into CUCM.  On CUCM created a separate Profile, Group, Gateway and Common Phone Profile for each phone.  On the ASA Gateway setup separate Tunnel-Groups for each phone as-well.  Created 2 additional Group Policies to allow individual VPN parameters per phone I.E. TCP verses DTLS.   If you work with VPN phones, you know the users ISP will randomly drop, rate-limit, or throttle UDP packets not meeting the ISPs VoIP requirements - thus the users VPN phone fails to remain operational or never even connects back to the VPN gateway.  The simplest fix is to assign the session to use TCP (not DTLS UDP). Then somehow work with the ISP to allow UDP from the VPN phone.

Dated May 12, 2017 Thanks

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card