Security Warning for ASA SSL VPN using Wildcard Certificate
Setting up WebVPN for ASA5515X. Everything works as designed except I am getting security warnings when initiating connection. Something to the effect of:
Untrsted VPN Server Blocked
I use a Netsol issued Wildcard Certificate. It been imported with the keys and the cert chain. Seems when I connect to the ASA using SSL VPN I have to connect using the hostname and domain name configured on the ASA for it to not throw security warnings. Is there some way to tell the ASA to match using something other than the configured local hostname and domain so I can stop these warnings? Thanks in advance.
If you use anything other than the FQDN* configured in the certificate (which should match that of the ASA) you will get the browser and/or Anyconnect warning. You can click past the warning in the web interafce or tell AnyConnect via its preferences settings to not "Block Connections to Untrusted Servers" (generally not recommended) and still connect though either seems a bit silly if you've gone to the trouble to purchase and install a certificate.
*Technically your certificate isn't "fully" qualified with the wildcard but the non-woldcarded bits must match.
Thanks for the reply. I understand normally you would want have the hostnames match to get the cert warning to go away. What I was wondering is if you could tell the ASA to use something other than the hostname for matching. My devices hostnames are based on function/location etc. I don't really want to give that away to users by having them connect to some cab01-asa-10.domain.com URL. I would prefer to not change the hostname either to match the URL I give users just to support this functionality. The wildcard cert works if I set up local host entries on my machine for the hostname of the device so I know changing the hostname will fix the issue. Would like to avoid that if possible.
Does anyone know if I change the hostname do I need to do anything with the cert/trustpoint already configured to get it to work? Maybe reload the cert for use with the new hostname? Thanks again for the reply.
Hmm, I'm not positive but I see what you're asking.
If I understand correctly how the certificates work, it's actually the "cn" (common name) value on the certificate that's be compared to the FQDN the client browsed to. Usually the cn is the same as the device hostname. It doesn't have to be though. cn could be the user-friendly name and hostname could be the name useful to the IT team.
Since your certificate cn is * (wildcard), it seems to me if your DNS record (or local hosts file) maps cn.yourcompany.com to your ASAs outside address and the ASA has the certificate *.yourcompany.com installed it might work OK. It's worth a try.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...