Solved: Re: How to register domain in Cisco AnyConnect to Amazon DNS?

Herald Sison · ‎03-13-2019

Hi All,

i have set up a new SSL VPN connection and clients are now connecting to it via Cisco AnyConnect and through our office Internet Public IP by simply Typing it. Now what i want to achieve is to register that IP address in our existing domain in Amazon DNS so that everytime they connect through Cisco AnyConnect or even download the installer from the page they will just type the domain and not the IP Address anymore.

Also, when someone will try to NSlookup the domain that i registered in Amazon DNS the result should be the Amazon IP and not our Office Public IP Anymore.

Is there a step by step guide to this setup?

for example our Office Public IP is 1.2.3.4 and i want to register it to Amazon DNS with this domain myvpn.xyz,com, in where xyz.com is already existing and being used as O365 domain and everytimte i nslookup myvpn.xyz.com the Amazon IP should appear not the 1.2.3.4 Office Public IP anymore.

Thanks.

i am having a hard time doing this since i am not an expert of Cisco SSL VPN.

balaji.bandi · ‎03-14-2019

I belive you are using amazon DNS Server, the IP should resolve to your ASA Public Facing IP address.

make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎03-13-2019

Look at this thread may help you :

https://community.cisco.com/t5/vpn-and-anyconnect/fqdn-name-in-anyconnect-client/td-p/1864082

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Herald Sison · ‎03-13-2019

Hi Sir,

thank you for your response but this article is stating error while FQDN is already registered. in my case i dont have my FQDN registered yet to public domain like AMAZON.

where can i find a step by step guide to do that? i want to purchase the cert from comodo once FQDN is already up and accessible.

balaji.bandi · ‎03-13-2019

Ok let me explain the steps to make it clear :

1. Lets say you have authenticating using now using IP address 10.10.10.10

2. Now you want to move to FQDN instead of IP address

3. now you have FQDN example balajibandi.com ( so with your amazon DNS , you point vpn.balajibandi.com A record to 10.10.10.10 (this is the Public IP where the Tunnel terminating before)

4. make sure you have correct PKI in place for FQDN certificate installed on ASA.

5. change the client side vpn-profile from IP to FQDN (for testing do 1 PC manually changing, all working) then you can centrally push to all the clients.

Look at the version of AnyConnect admin the one you using for reference :

https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-installation-and-configuration-guides-list.html

Other post i have refered in the old reply have XML file how you can change the profile FQDN quick and Dirty way.

make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Herald Sison · ‎03-14-2019

Hi Sir,

this is good, thank you so much for this. But one more thing if i nslookup the FQDN what IP will come out? is it still our Internet Public IP or the Amazon?

Thanks

balaji.bandi · ‎03-14-2019

I belive you are using amazon DNS Server, the IP should resolve to your ASA Public Facing IP address.

make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bern81 · ‎03-14-2019

Hi,

you can modify the anyconnect client xml profile by adding the VPN Gateway FQDN.

Of course it should be configured as DNS A record pointing to the ASA outside interface IP.

The PC trying to connect should be able to resolve the FQDN.

Also very important the identity certificate CN fields of the ASA must match exactly the FQDN you connect to otherwise you get untrusted server error (CN field does not need to match the hostname of the ASA but better to make them equal).