Hi Karsten,Pls guide me how

MOHAMMAD RAZA · ‎05-10-2015

Dear,

I have configure Anyconnect VPN on Cisco ASA5525 & it working fine, currently i bought a public Certificate to make VPN session on FQDN name (xxx.company.com) & and i am easily able to make session on FQDN name (xxx.company.com) but when trying connect vpn with gateway IP address (180.xx.xx.25) then showing error (certificate is not trusted) so can we resolve this or can we disable Termination of VPN connect on getaway IP (180.xx.xx.25) and VPN connect will terminate only FQDN name (xxx.company.com).

pls find the attachment of error file.

Karsten Iwen · ‎05-10-2015

You should solve this on the client-side. Just make sure that your users only connect to the VPN with the FQDN. The easiest way is to deploy an AnyConnect VPN-Profile from the ASA. In the profile you use the FQDN and name it in a meaningful way. You users should be advised to only select provided the name in the client and never use the IP.

In addition to that you can change the local AnyConnect-policy to not allow any untrusted servers. With that, they can't press "Connect Anyway" when a certificate is not trusted.

More on these policies and profiles is in the AnyConnect Admin-Guide.

There is also the solution to buy another certificate where you have both the fqdn *and* the ip address configured. But personally, I would go for the profiles.

MOHAMMAD RAZA · ‎05-10-2015

Hi Karsten,

Pls guide me how can i change local AnyConnect-policy to not allow any untrusted servers.

Regards,

MN Ashique

Karsten Iwen · ‎05-10-2015

It's the parameter "strict certificate trust" in the admin-guide, set it to "true" and restart the client.

Configure Anyconnect VPN with FQDN name.