Yes, I tried Internet Explorer as-well-as Chrome. Same issue with both.

I should also say, I enabled the http authentication-certificate inside option.

Once I receive the cert error and ignore it, ASDM still loads with both browsers

Thanks

Frank

If you can, please post/attach your ASA sanitized configuration file for review. That would be also a java version issue.

Regards,

Aref

Hi Marvin,

UPDATED 11:45am

THANK YOU SO MUCH for the link; ........ as I am struggling here - I followed the steps .... No change.

It did take a while to timeout, but after I changed the ssl certificate-authentication fca-timeout from 5 to 1, fixed the slowness issue.

So I followed the steps to also include the outside interface for SSL certs.

... Now, I'm able to connect on the outside interface https://til.ddt.org. I don't get a browser certificate error until I choose to load ASDM from the browser page. When ASDM starts to load, a certificate error pops up, the cert error indicates it cannot verify Cisco Systems Inc. (VeriSign Class 3 Code Signing 2010 CA).

I downloaded the VeriSign cert and installed in the trusted store on the PC.

VeriSign Class 3 Public Primary Certification Authority - G5; Expiration date: 7/16/2036

BACKGROUND:

When I originated generated the certs for this ASA, I used the outside fqdn interface and all the certs reference this DNS resolvable name. When I try to connect to the ASA on the internal interface -as most folks will - I get the cert error.

The inside ip address is 192.168.1.1 while

the outside interface is 192.168.240.1.

The til.ddt.org resolves via DNS on inside and outside.

In your opinion, what do you think I did or are doing incorrectly - I am a Cisco Router/Switch/Security network guy not a Windows/PKI guy. :)

THANK YOU AGAIN

Frank

Hey folks, I have it figured out.

It was really easy to get this operational once I did all the wrong things first. Once the incorrect options were out of the way, only the correct options were left and it was very clear to see the final path. LOL

My biggest hurdle was creating the entire environment:

For this isolated no-public access or Internet access project I had the opportunity to learn VMware 5.1, create VMs for all the different operating systems needed to support the environments, Learned that cloning a working VM saves enormous amounts of installation time for the next vm (from several hours of installation time down to several minutes), Learned Data Stores make installation really fly. Learned MS Windows Enterprise server, learned MS Win DNS installation and configuration for Internal and external domains; Thank GOD for WireShark!!!!!!! Learned Microsoft's implementation of PKI and how it relates and interoperates with other vendors. Learned how Internet Explorer, Chrome and Firefox with reference to Certificates and security works and also how it does not work :). Learned NTP (the differences of GMT and UTC and where and how to use each) and how Cisco routers CAN provide time to Microsoft clients directly and best of all and absolutely the toughest technology I have ever tackled........PKI in a mixed vendor environment. There is a lot more but I'm tried of typing. LOL

Ok, so what's the next task!!!!!!

Thanks again

Frank

Happy to hear you're up and running.

Please rate any helpful answers that aided you in getting there.