what is the impact of changing the public IP address to a FQDN instead on the ASA?

abood842001 · ‎11-11-2018

Hi,

currently, I can only reach my ASA remotely via a public IP address, and I want to get a trusted certificate to secure the SSL VPN "HTTPs" page on the ASA, but in order to get it, the certificate issuer is requesting to use an FQDN instead of the IP address.

my question is, if I want to change how I reach my ASA externally from using a public IP address to an FQDN, will this impact the SSL or the IPsec VPN?

is there any impact?

also, does anyone know the steps to resolve the public IP address to an FQDN please?

Marvin Rhoads · ‎11-11-2018

It won't affect your SSL VPN other than give it a proper certificate to use. IPsec VPN won't be affected at all.

You just register a public DNS entry (assuming you have a public DNS or DNS provider) for the new FQDN. That FQDN is then used to resolve to your public IP address. The ASA presents the certificate and the Common Name (CN) matches the FQDN and AnyConnect is happy - no certificate errors.

If you don't have a public DNS server you can also do the same thing by manually updating the local hosts file for any remote clients. That way when they try to resolve the address that local file will give them the FQDN ti IP address mapping thus accomplishing the same thing. (Most people don't do this outside a lab environment as it is not very scalable solution across more than one or two remote hosts.)