Thank you for the

fsebera · ‎02-17-2016

We have external customers that access to our ASA public "outside" IP to reach web servers within our DMZ . Trust is enabled with public certificates assigned on the "outside" interface.

We also have external employees that need to connect to this same ASA public "outside" IP but for AnyConnect VPN services. Since these are employees and we want to save money AND have better control over access, could we just use private certificates for employee connections?

Can we assign public and private certificates to the same ASA "outside" interface IP?

Thank you

Frank

jj27 · ‎02-17-2016

Help me understand you a little better. Say your public IP is 1.2.3.4. You have customers accessing https://1.2.3.4 which is NATed internally to a web server on the DMZ? You also have the AnyConnect VPN service running on the outside IP address, perhaps on a different port since you cannot run AnyConnect on port 443 as well as have a server with a NAT translation to the outside interface port 443.

In that case, typically the public certificate is installed on the server in the DMZ and does not use the certificate for the ASA. You could use a private signed certificate for your outside interface for the AC VPN.

fsebera · ‎02-18-2016

Yes, you are correct; employees connecting with AnyConnect VPN will authenticate to the certs on the ASA firewall while customers accessing servers within the DMZ will authenticate with the certs installed on those DMZ servers!!

But just in case we have customers and employees needing to authenticate to the ASA, could we use both public and private certs on the same ASA "outside" interface?

Thank you

Frank

jj27 · ‎02-18-2016

Unfortunately not. You are only able to have one certificate active on an interface at a given time.

fsebera · ‎02-18-2016

Thank you for the clarification.

Frank

Using Public and Private certificates on "Outside" interface of ASA