cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5169
Views
25
Helpful
9
Replies

Cisco Anyconnect FQDN and certificates

BVC
Level 1
Level 1

I've recently setup and configured a Cisco ASA 5508. The Anyconnect VPN works fine, users can login and can access resources in the network. The only problem I keep getting that I want to fix is the certificate warning. Users have to enter the IP address of the firewall instead of a FQDN connecting to the firewall via the Anyconnect client. How can I configure my firewall so it pushes a FQDN instead of an IP address and stops giving off the certificate warnings?

 

1 Accepted Solution

Accepted Solutions

If you're set on going down the no-public-DNS service you could always modify the hosts file on clients to include the FQDN to IP address mapping. The client will check a local hosts file and prefer that over anything in (or absent in) the configured DNS resolver.

View solution in original post

9 Replies 9

Hi,
You would need to register the FQDN with your external provider, the FQDN must resolve to the IP address of the ASA. The FQDN would need to match the common name (CN) defined in the certificate.

HTH

Marvin Rhoads
Hall of Fame
Hall of Fame

In addition to what @Rob Ingram said, you should also use the AnyConnect profile editor (within ASDM or as standalone application) to create a VPN profile that will be pushed to users upon login. In it you can define both the FQDN and a more user-friendly name for the VPN. Something like this:

VPN Profile.PNG

 

 

Hello Marvin,
Thanks for the reply, I will look into getting a FQDN and matching the self-signed certificate CN so it matches the FQDM. Just a quick question on how self signing works, my boss is asking why don't we just use a self-signed certificate and why doesn't just work, like why do I need to map a FQDN to the CN of the certificate in order to stop getting the errors.

You will continue to get certificate warnings even with FQDN matching the CN in the certificate if you use self-signed certificate. That is unless you go into each client and tell it to trust the appliance as a root CA. (very laborious and generally not an effective solution beyond the lab)

The reason is because that's fundamentally how PKI works - clients only automatically trust a presented certificate if:

1. The issuing Certificate Authority (CA) is trusted and

2. The Common Name (CN) in the certificate matches the Fully Qualified Domain Name (FQDN) of the site being accessed.

Hello Marvin,

Thanks for the quick reply. So in order to fully fix in problem, I will need to export the self-signed certificate (with the correct CN that matches the FQDN) and install into the clients devices, and setup a FQDN that matches the public IP address of my ASA?

 

Or do I even need to register a FQDN with a domain name register, can I just put the public IP address in the certificate CN? As currently the users just put the ASA's public IP address in the anyconnect client.

If you want to go the self-signed route, a client can save the certificate by browsing to the VPN headend. If the self-signed certificate has the FQDN and the URL is publicly resolvable, there's no need to include the IP address as a Subject Alternative Name (SAN) in the certificate. Just make sure to have a VPN profile that pushes the FQDN down to clients upon connect.

It would be very unusual and contrary to the purpose of DNS to use the IP address only and not have a public FQDN. the only times I've seen that done is when the admin is trying to obfuscate the existence of the VPN or just doing it temporarily for a lab or testing and doesn't 

Thank you very much for this. I'm getting closer, I've configured the CN of the certificate with the public IP address and I've also installed the self-signed certificate onto the computers using anyconnect, I've also deleted the default FQDN ASDM gives the certificate when I created the SSL identity certificate. The only SSL warning I get is now saying that the certificate doesn't match the server name and I'm getting to the VPN by using the public IP address that's assigned to the ASA, not a FQDN. Is there anyway to fix this without applying for a domain name as my boss requires this to be done with minimal cost, or is this all just not possible without applying for a FQDN.

If you're set on going down the no-public-DNS service you could always modify the hosts file on clients to include the FQDN to IP address mapping. The client will check a local hosts file and prefer that over anything in (or absent in) the configured DNS resolver.

Hi Marvin,
I've managed to get it running using the local host file, thank you very much for your help.