10-06-2018 11:15 AM
Hi,
Is it possible in ASA to map 2x certificate in 1 interface so that VPN users will not shown an error about the certificate something like this configuration?
ssl trust-point <Trustpoint-Name-1> Outside
ssl trust-point <Trustpoint-Name-2> Outside
If not possible, how to prevent it?
thanks
10-06-2018 12:14 PM
Unfortunately No as per my experience, certificate is tied to the ASA interface and you won't be able to have different certificates for different SSL VPN connections/types.
But what is your use case to have 2 Certificates ?
10-06-2018 07:02 PM
10-07-2018 07:15 PM
Thanks for your feedback.
I just combined 2x ASA VPN into 1 ASA and I found out that they are using 2x different certificates.
What can I do about this? Can I configure another interface in the ASA so that it can handle the 2nd trustpoint?
Thanks
10-07-2018 09:05 PM
10-08-2018 12:40 AM
Before, we have 2x ASA 1x interface each one intended for devices-A (using diff cert) and the other interface is intended to devices-B (using different cert). But now since we combined it, we are now using one interface for both and I put the trustpoint for device-A since since it is critical for device-A. Since we are using SSL remote access VPN, we did not notice the certificate which is assigned to the interface.
Now, we still not migrated the device-B to the new one. My concern is, once we migrate it possibly it will not connect because of the trustpoint in my outside interface of the ASA.
Can I put another interface in my new ASA then assign the correct trustpoint so that device-B will connect into that new interface? How will the flow of traffic once the device-B has a successful connection to the new interface?
Thanks
10-08-2018 01:17 PM
Device-B are using IPSEC connection or SSL connections?
Certificates will matter for SSL.
Let's say device-a uses vpn.domain.com to connect and device-b uses vpn1.domain.com.
When you merge both into a single interface, both device-a and device-b will use vpn.domain.com. If you setup the right cert on this interface nothing will happens. If you changed device-b vpn1.domain.com to vpn.domain.com you will need to change their anyconnect profile if they're using SSL.
If they're connection using IPSEC, are they using cert authentication or something or basic credentials. If basic auth, then no issues but you need to take care of DNS change to point to the right IP now.
You can have 2 different interfaces (in 2 different subnets obviously) and then you can apply a different trustpoint on each.
10-08-2018 08:18 PM
Hi @Francesco Molino, both of them uses SSL VPN.
If I add an additional interface for the sole purpose of the device-B connection, how will the traffic goes after authentication? It will go the normal way going out where the gateway points? Thanks
10-08-2018 11:31 PM
hi @Francesco Molino, but if I use another certificate with SAN attribute, that is possible right?
10-09-2018 07:09 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide