cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8001
Views
0
Helpful
8
Replies
Highlighted
Beginner

SSL Certificates on Anyconnect

Hello,

I have a ASA 5505 with a SSL VPN Setup. My question is about certificates. To be secure do i need to buy a third party Certificate or can i self sign a certificate in the ASA and add the certificate to the client so it doesn't throw a certificate error? Are self signed certificates more susceptible to man in the middle attacks? I'm no expert in certificates so what do i need to ensure a secure tunnel on my anyconnect remote access tunnel?  Thank you

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Guru

Once you have a certificate in your local trusted store it is no more or no less susceptible to man in the middle attacks.

Using a certificate issued by a trusted 3rd party CA is generally preferred as you don't have the task of manually importing and trusting a self-signed certificate. If you do the latter you also need to make sure the Common Name (CN) or Subject Alternative Name (SAN) in the certificate matches the name  by which you access the  VPN. 

Some people prefer to get a wildcard certificate (*.company.com) and use that although it is arguably less secure as the private key needs to be shared among all systems that use the wildcard. 

View solution in original post

Highlighted

If you only have a single public IP then you have to host one service or the other on a different tcp port. It's usually easiest to just put the SSL VPN on something else.

For instance if the VPN is at vpn.company.com then we would add something like:

webvpn
port 8443

...and have end users put in https://vpn.company.com:8443 when connecting to the VPN. 

Reference:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html#anc10

View solution in original post

8 REPLIES 8
Highlighted
Hall of Fame Guru

Once you have a certificate in your local trusted store it is no more or no less susceptible to man in the middle attacks.

Using a certificate issued by a trusted 3rd party CA is generally preferred as you don't have the task of manually importing and trusting a self-signed certificate. If you do the latter you also need to make sure the Common Name (CN) or Subject Alternative Name (SAN) in the certificate matches the name  by which you access the  VPN. 

Some people prefer to get a wildcard certificate (*.company.com) and use that although it is arguably less secure as the private key needs to be shared among all systems that use the wildcard. 

View solution in original post

Highlighted

Thank you Marvin.   When creating a certificate using the common name is that using the hostname of the ASA?  Currently i just use the IP address to access the VPN  

Thank you 

Highlighted

The certificate Common Name can be the ASA IP address for the interface via which you access the VPN from AnyConnect. That's not very "common" to see that though as it really isn't considered a best practice. If you're going to the trouble to setup a proper certificate it is recommended to also tie it to the FQDN of the host.

The FQDN (Fully Qualified Domain Name) does not have to have anything to do with the ASA host name per se - the host name is only locally significant to the ASA. The FQDN is more commonly something like vpn.company.com as it is easier to commuinicate to non-technical users that way.

Highlighted

Pardon my lack of knowledge on the subject but how do i seperate my VPN from a web server address on a single IP?   If my web address is www.company.com and my vpn FQDN is vpn.company.com then how do i seperate them?  Also is this secure? 

Thank you 

Highlighted

If you only have a single public IP then you have to host one service or the other on a different tcp port. It's usually easiest to just put the SSL VPN on something else.

For instance if the VPN is at vpn.company.com then we would add something like:

webvpn
port 8443

...and have end users put in https://vpn.company.com:8443 when connecting to the VPN. 

Reference:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html#anc10

View solution in original post

Highlighted

Thank you for the help

Highlighted

Hello Marvin  ,

If I am creating a certificate with Common name as my real IP , 

when I install this cert on my endpoint and I use the real IP on anyconnect I shouldn't get any error of untrusted certificate right ? 

thank u 

P.S instead my publishing my domain name for vpn 

Highlighted

If you client trusts the issuing Certificate Authority (CA), then it should work without giving you an untrusted certificate error.