We help IT Professionals succeed at work.

SSL Certificate for VPN on Cisco ASA installation question

cmulwilliams
cmulwilliams asked
on
4,338 Views
Last Modified: 2011-08-18
Experts,
I have an ASA 5510 that I have set up for SSL VPN using an internal web server for RADIUS authentication. Currently to access the VPN, a user types in HTTPS://IP ADDRESS:PORT#
Since we are using the default SSL certificate from the device the user receives a pop up stating that the certificate has a problem, and they have to choose to continue or not.
I went to purchase a certificate and was told that we can't purchase an SSL cert for an IP address that we lease.
I usually leave the router/firewall configs for a security expert but have had little assistance in this area.
What would be the most secure way to proceed? Add an A record for the IP address through my ISP?
(The address we are using is the address for the external interface on the ASA.) or can we change the address being used for the VPN to be the same address as the one that the firewall translates through NAT?
Would it be better to add an additional address to the ASA just for the SSL VPN, is that possible?

IF anyone could give me some advice on which direction they've gone in setting up an SSL VPN with a 3rd party certificate on an ASA that would be very much appreciated. I've looked at the documentation on installing the cert ..I'm more confused on getting the security right on the addressing - is it a security risk to have an a record pointed to the IP addres of the external interface of my asa?
THANKS so much for your help.
Comment
Watch Question

Commented:
You CAN purchase a cert for the IP address you lease.  That IP is actually carved out of your ISPs block of IPs and assigned to you!  So go forth and purchase the cert and get your box going!  For the IP, just keep it simple.  The most secure way is to use the external IP (no name resolution) to connect.
-Todd
cmulwilliamsITS Manager

Author

Commented:
Entrust told me that it wasn't possible to purchase a cert from them for a leasd IP, can you recommend someone that does allow buying the cert for  leased IP? That would save me alot of extra work.

Thanks so much!

Commented:
Sure.  Try one of these:
http://www.thawte.com/
http://www.networksolutions.com/SSL-certificates/index.jsp
When you order to cert, make sure you use your direct telephone number, some of these places will call you to verify that your organization is real/legit.
One last thought I forgot to mention.  SSL certs require an FQDN (Fully Qualified Domain Name), so you will have to add an A record in your DNS for this host.  If you don't, your users will get a pop-up stating that the cert does not match the name of the host.
-Todd
cmulwilliamsITS Manager

Author

Commented:
Todd,

Thanks. Is it secure to have an A record pointed to the external interface of my organization?
Is it possible and would it be better to add another IP address to the ASA just for remote access?
Thanks again.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
cmulwilliamsITS Manager

Author

Commented:
Todd,

Thanks so much, we have a strong password policy and we've blocked all other ports so that should work for us. I appreciate the time you've taken to help with this.

Commented:
Anytime, let me know if you run into any other problems.  Take care.
-Todd
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.