Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11820
Views
0
Helpful
8
Replies

SSL Certificates on Anyconnect

Go to solution
Computerwiz24
Level 1
Level 1

‎04-16-2017 12:07 PM - edited ‎02-21-2020 09:15 PM

Hello,

I have a ASA 5505 with a SSL VPN Setup. My question is about certificates. To be secure do i need to buy a third party Certificate or can i self sign a certificate in the ASA and add the certificate to the client so it doesn't throw a certificate error? Are self signed certificates more susceptible to man in the middle attacks? I'm no expert in certificates so what do i need to ensure a secure tunnel on my anyconnect remote access tunnel?  Thank you

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-16-2017 08:04 PM

Once you have a certificate in your local trusted store it is no more or no less susceptible to man in the middle attacks.

Using a certificate issued by a trusted 3rd party CA is generally preferred as you don't have the task of manually importing and trusting a self-signed certificate. If you do the latter you also need to make sure the Common Name (CN) or Subject Alternative Name (SAN) in the certificate matches the name  by which you access the  VPN. 

Some people prefer to get a wildcard certificate (*.company.com) and use that although it is arguably less secure as the private key needs to be shared among all systems that use the wildcard. 

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Computerwiz24

‎04-19-2017 07:43 PM

If you only have a single public IP then you have to host one service or the other on a different tcp port. It's usually easiest to just put the SSL VPN on something else.

For instance if the VPN is at vpn.company.com then we would add something like:

webvpn
  port 8443

...and have end users put in https://vpn.company.com:8443 when connecting to the VPN. 

Reference:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html#anc10

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-16-2017 08:04 PM

Once you have a certificate in your local trusted store it is no more or no less susceptible to man in the middle attacks.

Using a certificate issued by a trusted 3rd party CA is generally preferred as you don't have the task of manually importing and trusting a self-signed certificate. If you do the latter you also need to make sure the Common Name (CN) or Subject Alternative Name (SAN) in the certificate matches the name  by which you access the  VPN. 

Some people prefer to get a wildcard certificate (*.company.com) and use that although it is arguably less secure as the private key needs to be shared among all systems that use the wildcard. 

0 Helpful

Go to solution
Computerwiz24
Level 1
Level 1
In response to Marvin Rhoads

‎04-19-2017 03:52 AM

Thank you Marvin.   When creating a certificate using the common name is that using the hostname of the ASA?  Currently i just use the IP address to access the VPN  

Thank you 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Computerwiz24

‎04-19-2017 03:59 AM

The certificate Common Name can be the ASA IP address for the interface via which you access the VPN from AnyConnect. That's not very "common" to see that though as it really isn't considered a best practice. If you're going to the trouble to setup a proper certificate it is recommended to also tie it to the FQDN of the host.

The FQDN (Fully Qualified Domain Name) does not have to have anything to do with the ASA host name per se - the host name is only locally significant to the ASA. The FQDN is more commonly something like vpn.company.com as it is easier to commuinicate to non-technical users that way.

0 Helpful

Go to solution
Computerwiz24
Level 1
Level 1
In response to Marvin Rhoads

‎04-19-2017 01:24 PM

Pardon my lack of knowledge on the subject but how do i seperate my VPN from a web server address on a single IP?   If my web address is www.company.com and my vpn FQDN is vpn.company.com then how do i seperate them?  Also is this secure? 

Thank you 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Computerwiz24

‎04-19-2017 07:43 PM

If you only have a single public IP then you have to host one service or the other on a different tcp port. It's usually easiest to just put the SSL VPN on something else.

For instance if the VPN is at vpn.company.com then we would add something like:

webvpn
  port 8443

...and have end users put in https://vpn.company.com:8443 when connecting to the VPN. 

Reference:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html#anc10

0 Helpful

Go to solution
Computerwiz24
Level 1
Level 1
In response to Marvin Rhoads

‎04-20-2017 07:50 AM

Thank you for the help

0 Helpful

Go to solution
tarek issa
Level 1
Level 1
In response to Marvin Rhoads

‎03-24-2020 04:31 AM

Hello Marvin  ,

If I am creating a certificate with Common name as my real IP , 

when I install this cert on my endpoint and I use the real IP on anyconnect I shouldn't get any error of untrusted certificate right ? 

thank u 

P.S instead my publishing my domain name for vpn 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tarek issa

‎03-24-2020 05:15 AM

If you client trusts the issuing Certificate Authority (CA), then it should work without giving you an untrusted certificate error.

0 Helpful
Customers Also Viewed These Support Documents