04-18-2017 01:25 AM
Hi All,
We have enabled sssl vpn (webvpn) on our Cisco ASA firewall and applied a public certificate to the device.
Webvpn perse is working however since this is a publicly accessible portal, we are required to secure access using certificates.
The problem is if the user is using the FQDN of the portal, certificate is working. However is the IP is used, it's bypassed(?). (Please see attached screenshot showing the outputs )
Anybody encountered this before and if so, what was the solution?
We have:
Hardware: ASA5550
Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.4(1)
Thank you!
04-18-2017 02:27 AM
It works as designed. As you only have the FQDN in the certificate, that's all that is trusted by the browser. That means that you have to access the ASA by FQDN. If you access the ASA by IP, the certificate is not bypassed and the connection is still encrypted. But the browser just can't validate the certificate.
BTW: You should update the ASA to a more recent software-version like 9.1(7)16.
04-18-2017 03:45 AM
Oh .. thanks Karsten. The thing is penetration scans from security providers use IP range to test .. and unfortunately, this is still a failure.
:(
04-18-2017 04:24 AM
Yes, it has to be a failure. That is how certificates work and the Pen-testers will be aware of that.
04-21-2017 02:20 PM
Check with your certificate provider and see if they support adding the IP address as a Subject Alternative Name to your certificate.
It would have to be re-issued and thus re-applied anywhere you've used it but I believe that will serve your purpose once you've done so.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide