Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
4
Replies

SSL VPN Certificate on ASA 5550 firewall

burugudunski
Level 1
Level 1

‎04-18-2017 01:25 AM

Hi All,

We have enabled sssl vpn (webvpn) on our Cisco ASA firewall and applied a public certificate to the device.

Webvpn perse is working however since this is a publicly accessible portal, we are required to secure access using certificates.

The problem is if the user is using the FQDN of the portal, certificate is working. However is the IP is used, it's bypassed(?). (Please see attached screenshot showing the outputs )

Anybody encountered this before and if so, what was the solution? 

We have:

Hardware:   ASA5550

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.4(1)

Thank you!

Labels:
Preview file
13 KB
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎04-18-2017 02:27 AM

It works as designed. As you only have the FQDN in the certificate, that's all that is trusted by the browser. That means that you have to access the ASA by FQDN. If you access the ASA by IP, the certificate is not bypassed and the connection is still encrypted. But the browser just can't validate the certificate.

BTW: You should update the ASA to a more recent software-version like 9.1(7)16.

0 Helpful

burugudunski
Level 1
Level 1
In response to Karsten Iwen

‎04-18-2017 03:45 AM

Oh .. thanks Karsten. The thing is penetration scans from security providers use IP range to test .. and unfortunately, this is still a failure.

:(

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to burugudunski

‎04-18-2017 04:24 AM

Yes, it has to be a failure. That is how certificates work and the Pen-testers will be aware of that.

0 Helpful

Joe Tinney
Level 1
Level 1
In response to burugudunski

‎04-21-2017 02:20 PM

Check with your certificate provider and see if they support adding the IP address as a Subject Alternative Name to your certificate.

It would have to be re-issued and thus re-applied anywhere you've used it but I believe that will serve your purpose once you've done so.

0 Helpful
Customers Also Viewed These Support Documents