ASA to FTD migration - SSL trustpoint for multiple domain question

Matus Kozak · ‎07-02-2024

Hello,

on the old ASA FW I had ssl configuration for multiple domain... for VPN and Anyconnect use. If user wrote to Anyconnect vpn.domaina.example it matches correct certificate and Anyconnect client was without warning about untrusted certificate...

example:
ssl trust-point TRUSTPOINT-A domain vpn.domainA.example
ssl trust-point TRUSTPOINT-B domain vpn.domainB.example
etc.

Is it possible to do this on FMC/FTD? 7.2.5
I did not find it, I tried to look at flex config, maybe I miss something...

thanks.

MHM Cisco World · ‎07-02-2024

can you more elaborate

MHM

Matus Kozak · ‎07-02-2024

it is simple...

how to move ASA config:
"ssl trust-point TRUSTPOINT-A domain vpn.domainA.example
ssl trust-point TRUSTPOINT-B domain vpn.domainB.example"

to FTD. That you have more domains (vpn domains/url) on same FTD with matching correct start (*) certificate (*.domain.xyz) to avoid that user will see warnings about untrusted site certificate if it does not match.

tvotna · ‎07-02-2024

@Matus Kozak, are you sure that adding "domain" option to the "ssl trust-point" command solves untrusted certificate issue because ASA is able to choose correct trustpoint when client connects? How do you start connection, from the browser or right from the AnyConnect client?

I'm confused, because AnyConnect client doesn't support TLS SNI extension yet, which is a design bug CSCue35947 / CSCvh77602. So, if the client doesn't send SNI, the ASA doesn't know which "virtual server" the client connects to during TLS handshake and hence cannot choose correct certificate for the respective domain (group-url)...

Matus Kozak · ‎07-02-2024

@tvotna well, I'm sure that I dont have an issue with cert and untrusted domain, on the ASA 9.12(4) it is working and does not matter if it is Anyconnect or browser. So if I go to one url I have correct cert and if I go to second url again I have correct cert for second domain.

I migrated ASA to FTD and I would like to use similar config on FTD that I have more domains and need to match correct cert (webserver? cert)

tvotna · ‎07-02-2024

I'm puzzled. I don't understand how this can work on ASA. Let's ask @ccieexpert , maybe he can shed some light.

FMC doesn't have an option to configure "domain" as you mentioned. So, the only option is to use flexconfig here.

ccieexpert · ‎07-02-2024

the secure client does support SNI.. unfortunately from what I can see flexconfig does not support it. you may want to talk to your partner or Cisco account team to take it up with the business unit...

tvotna · ‎07-03-2024

Right. Looking at the sniffer trace I can confirm that AnyConnect 4.10 sends SNI. Looks like Cisco fixed this issue at some point, but forgot to update CSCvh77602.

@Matus Kozak, the solution is to generate new FTD certificate and include all of FTD hostnames into the SAN certificate field.

ccieexpert · ‎07-03-2024

the problem or challenge is that multiple engineers can file bug and they become duplicate... and at times a QA/developer may file a new bug...you can open a TAC case and have them link all of these as duplicates to the bug that added the feature..

MHM Cisco World · ‎07-03-2024

I think you need two point here if I am correct
1- FTD using wildcard

https://community.cisco.com/t5/vpn/ftd-vpn-wildcard-certificate/td-p/4184374

2- FTD using cert mapping

https://integratingit.wordpress.com/2023/07/14/ftd-anyconnect-certificate-map/

this make FTD use wildcard for both anyconnect two group and FTD use user cert to mapping it to correct profile
MHM

Matus Kozak · ‎07-03-2024

@tvotna , I dont need more FTD hostnames and include them into the SAN. I need multiple certificates (wildcards) to match multiple domain names as I wrote in first post.

@MHM Cisco World , thanks. 2-FTD cert mapping is for user authenticatioin, it's good but I dont need this.
I have two wildcard certs for two different domains... I need similar functionality how it was on the ASA... domain cert match. So I have trust-point for one domain, second trust-pont for second domain an if somebody write to anyconnect or browser https://firstdomain it matches first cert and https://seconddomain it matches second trustpoint. Two (or more) domains on outside interface, same IP. Hope it is clear.

MHM Cisco World · ‎07-03-2024

in ftd when you add anyconnect connection profile you can select which cert. Ftd will use for this profile abd here you can use wildcard cert.

So first add two cert to ftd one for each CA (trsut point) and then use each one for different anyconnect profile.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

You have two choice 1- use pkts 2- use manual' i.e. generate csr and sign identity cert of ftd from ca.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html

That it.

MHM

tvotna · ‎07-03-2024

@Matus Kozak, instead of multiple certificates use single certificate and include *.domainA.example and *.domainB.example into the SAN field. You can put as many hostnames or domainnames into the SAN as you need when creating certificate signing request on Windows or with OpenSSL (ASA/FTD cannot do this). That simple.

ccieexpert · ‎07-03-2024

I think until they implement that features, the suggestion to use multiple wildcard in one cert maybe the way to go

Matus Kozak · ‎07-27-2024

one option which worked for me was to change HostName and HostAddress in XML profile...

for example:

<HostName>domain1.example.com</HostName>
<HostAddress>domain2.example.com</HostAddress>

or vice versa.