Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4389
Views
25
Helpful
8
Replies

Cisco ASA 5505 and comodo SSL certificate

Go to solution
Chris Whiteley
Level 1
Level 1

‎04-29-2013 02:56 PM

Hey All,

I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.

Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.

On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

What am I missing here? I can post config if anyone needs it.

(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee
In response to Chris Whiteley

‎04-30-2013 09:16 AM

Yes that is correct. technically you would require to EKU as server authentication keys which was kinda forced in 3.1 version. But subsequently it was taken away. If you are not getting error using browser and ot comes only with anyconnect client. Most likely you might not have values configured. I can confirm that if you can share the fqdn with me else you can try upgrading and verifying it.

Thanks,

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

View solution in original post

8 Replies 8

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee

‎04-29-2013 07:19 PM

Chris,

Have you applied the ssl certifiacte on outside interface. Incase you have not applied here are the commands:

  1. Click Configuration, and then click Device           Management.

  2. Expand Advanced, and then expand SSL           Settings.

  3. Under Certificates, select the interface that is used to terminate           WebVPN sessions.

    In this example, the outside interface is used.

  4. Click Edit.

  5. In the Certificate drop-down list, choose the certificate installed           in Step 4.

  6. Click OK.

  7. Click Apply.

Alternatilvely you can apply from command prompt:

ssl trust-point my.trustpoint outside
!where my.trustpoint is the name of trust point that you have created.

If you have done the above steps already. WHat do you see in broswer information about the certifiacte. Do you see vpn.mydomain.com in cn value?

Regards,
Varinder
Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Varinder Singh

‎04-29-2013 07:40 PM

Yes, I have applied the SSL Certificate to the Outside Interface. The cn value is the vpn.mydomain.com.

0 Helpful

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee
In response to Chris Whiteley

‎04-29-2013 08:10 PM

what is the version of anyconnect? Do you have EKU (extended key usage ) value in your certifiacte? Also Can you post the config of ASA as well?

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Varinder Singh

‎04-29-2013 09:57 PM

It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.

ASA Version 9.0(2)

!

hostname MyDomain-firewall-1

domain-name MyDomain.com

enable password omitted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd omitted

names

name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside

name 10.200.0.0 MyDomain_New_IP description MyDomain_New

name 10.100.0.0 MyDomain-Old description Inside_Old

name XXX.XXX.XX.XX Provider description Provider_Wireless

name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505

name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests

ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0

ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address Cisco_ASA_5505 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Provider 255.255.255.252

!

boot system disk0:/asa902-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.0.3.21

domain-name MyDomain.com

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network MyDomain-Employee

subnet 192.168.208.0 255.255.255.0

description MyDomain-Employee

object-group network Inside-all

description All Networks

network-object MyDomain-Old 255.255.254.0

network-object MyDomain_New_IP 255.255.192.0

network-object host MyDomain-Inside

access-list inside_access_in extended permit ip any4 any4

access-list split-tunnel standard permit host 10.0.13.1

pager lines 24

logging enable

logging buffered errors

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1

route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1

route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1

route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record "Network Access Policy Allow VPN"

description "Must have the Network Access Policy Enabled to get VPN access"

aaa-server LDAP_Group protocol ldap

aaa-server LDAP_Group (inside) host 10.0.3.21

ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local

ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http MyDomain_New_IP 255.255.192.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

no validation-usage

no accept-subordinates

no id-cert-issuer

crl configure

crypto ca trustpoint VPN

enrollment terminal

fqdn vpn.mydomain.com

subject-name CN=vpn.mydomain.com,OU=IT

keypair vpn.mydomain.com

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca trustpool policy

crypto ca server

shutdown

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

    omitted

  quit

crypto ca certificate chain VPN

certificate

    omitted

  quit

crypto ca certificate chain ASDM_TrustPoint1

certificate ca

    omitted

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint VPN

telnet timeout 5

ssh MyDomain_New_IP 255.255.192.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-filter updater-client enable

dynamic-filter use-database

dynamic-filter enable

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1

ssl trust-point VPN outside

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3

anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4

anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5

anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 10.0.3.21

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

default-domain value MyDomain.com

group-policy MyDomain-Employee internal

group-policy MyDomain-Employee attributes

wins-server none

dns-server value 10.0.3.21

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value MyDomain.com

webvpn

  anyconnect profiles value MyDomain-employee type user

username MyDomainadmin password omitted encrypted privilege 15

tunnel-group MyDomain-Employee type remote-access

tunnel-group MyDomain-Employee general-attributes

address-pool MyDomain-Employee-Pool

authentication-server-group LDAP_Group LOCAL

default-group-policy MyDomain-Employee

tunnel-group MyDomain-Employee webvpn-attributes

group-alias MyDomain-Employee enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22

: end

asdm image disk0:/asdm-712.bin

asdm location MyDomain_New_IP 255.255.192.0 inside

asdm location MyDomain-Inside 255.255.255.255 inside

asdm location MyDomain-Old 255.255.254.0 inside

no asdm history enable

0 Helpful

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee
In response to Chris Whiteley

‎04-30-2013 12:21 AM

Chris,

Thanks for uploading the config. Unfortunetly I could not verify the EKU value from the comodo certifiacte as it was not mentiioned.

You need to have server keys value in extended key usage

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

Version 3.1.02040 and above this requirement was forced for making the connection

certificate

CSCud10648

Revert the EKU/KU requirement changes

Incase commodo certifiacte EKU or KU does not have server keys. You would either need the certifiacte which fulfill the requirement or you can upgarde client to 3.1.03103

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Varinder Singh

‎04-30-2013 08:18 AM

So you are saying that the anyconnect client 3.1.03103 remotes this requirement again?

0 Helpful

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee
In response to Chris Whiteley

‎04-30-2013 09:16 AM

Yes that is correct. technically you would require to EKU as server authentication keys which was kinda forced in 3.1 version. But subsequently it was taken away. If you are not getting error using browser and ot comes only with anyconnect client. Most likely you might not have values configured. I can confirm that if you can share the fqdn with me else you can try upgrading and verifying it.

Thanks,

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Varinder Singh

‎04-30-2013 10:44 AM

Is there a way I can send you the FQDN without sharing with anyone else?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents