Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1659
Views
0
Helpful
4
Replies

Cisco ASA using Multiple DNS Names

CSCO10675262_2
Level 1
Level 1

‎03-07-2013 04:56 AM

Hi,

I am trying to setup a Cisco ASA for SSL vpn; however due to load balancing/traffic redirection performed by a different device; I was wondering if it may be possible perform a certificaate signing request/certificate required for it to have multiple address? An example would be:

IP: 1.1.1.1, fqdn: vpn1.asa.com

IP: 1.1.1.2, fqdn: vpn2.asa.com

IP: 1.1.1.3 fqdn: vpn3.asa.com 

Not too sure on how to perform the CSR for it on the ASA? Do I create the csr cert with a single cn=vpn1.asa.com and ask the CA vendor to sign it off with SANsof vpn2.asa.com and vpn3.asa.com?

Client performing ssl vpn on vpn1.asa.com or vpn2.asa.com or vpn3.asa.com  should not be prompted certificate warning.

Thanks.

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-07-2013 10:50 PM

For my certificates the CA always puts in the SANs with additional FQDNs.

Do your users use different FQDNs to connect to your VPN? Wth a load-balancer in front the users typically only use one FQDN and then land on different ASAs. For that there are three stategies:

1) use one certificate with the FQDN that the users put in their client and use it on all ASAs.
2) Enroll all ASAs with individual certificates but add the common FQDN as SAN.
3) Use a wildcard certificate.

In my opinion, 2) is the best solution.


Sent from Cisco Technical Support iPad App

0 Helpful

david.xu
Level 1
Level 1
In response to Karsten Iwen

‎03-11-2013 04:49 PM

Of course option 2 is ideal, but ASA doesn't support multipule certficate on one interface, I think that's the problem of most people are facing.

SAN seems the only option to fix this issue, but you have to use openssl to create the certificate.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso70867

0 Helpful

Karsten Iwen
VIP
VIP
In response to david.xu

‎03-11-2013 11:09 PM

But you only need one certificate on your interface. That's what the SANs are for. And if your CA adds the SANs to the certificate (I think that's quite common) you even don't need openSSL.


Sent from Cisco Technical Support iPad App

0 Helpful

CSCO10675262_2
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2013 12:33 AM

Hi,

Appreciate the input. For the setup; the different fqdn is used due to different authentications/locations/etc... used. I have further illustrate the setup using the same interface for vpn access:

vpn3.asa.com (Extranet Vendor Access)--------------------------------|

                                                                                           |

                                                                                          |

                                                                                          |

vpn1.asa.com (External branch offices)-------------------------------ASA -------------Internal authentication servers

                                                                                           |

                                                                                           |

vpn2.asa.com(HQ/Corporate Users)-----------------------------------------

Not too sure for the creation of the CSR with a single cn=vpn1.asa.com and ask the CA vendor to sign  it off with SANs of vpn2.asa.com and vpn3.asa.com as well as vpn1.asa.com?

Thanks.

0 Helpful
Customers Also Viewed These Support Documents