Question : Problem: SSL Certificate for VPN on Cisco ASA installation question

Experts,
I have an ASA 5510 that I have set up for SSL VPN using an internal web server for RADIUS authentication. Currently to access the VPN, a user types in HTTPS://IP ADDRESS:PORT#
Since we are using the default SSL certificate from the device the user receives a pop up stating that the certificate has a problem, and they have to choose to continue or not.
I went to purchase a certificate and was told that we can't purchase an SSL cert for an IP address that we lease.
I usually leave the router/firewall configs for a security expert but have had little assistance in this area.
What would be the most secure way to proceed? Add an A record for the IP address through my ISP?
(The address we are using is the address for the external interface on the ASA.) or can we change the address being used for the VPN to be the same address as the one that the firewall translates through NAT?
Would it be better to add an additional address to the ASA just for the SSL VPN, is that possible?

IF anyone could give me some advice on which direction they've gone in setting up an SSL VPN with a 3rd party certificate on an ASA that would be very much appreciated. I've looked at the documentation on installing the cert ..I'm more confused on getting the security right on the addressing - is it a security risk to have an a record pointed to the IP addres of the external interface of my asa?
THANKS so much for your help.

Answer : Problem: SSL Certificate for VPN on Cisco ASA installation question

Sure you can use another IP for remote access, but look at the trade-offs- what you're doing is increasing the complexity of your configuration (harder to maintain), making it harder on your users (they will still get a pop-up), and not significantly increasing your security.

Using an A record is secure since you are using SSL to encrypt both the authentication (username/password) and the data. As long as you have strong passwords and a good password policy, it should be fine. As a standard rule (with or without A records), your firewall should be configured to only allow the necessary ports to the ASA server. If you don't have a firewall, then you should use ACLs on your router and/or the ASA to only allow TCP port 443 and block unnecessary services/ports. Put it this way, banks use SSL with published A records, so you should be fine. Just make sure you block everything except port 443 incoming and your passwords are strong. Here's a Microsoft site for password best practices:
http://technet2.microsoft.com/windowsserver/en/library/e903f7a2-4def-4f5f-9480-41de6010fd291033.mspx?mfr=true
-Todd

Random Solutions

Problem: IPOD 30gb Won't turn off and just says "Do not disconnect". I'm not even connected.

Problem: Assigning application to user via group olicy on Terminal Server

Problem: Can't ping remote router interface over a bridged Multilink PPP connection.

Problem: Which video card for a Dell Precision T7500 workstation?

Problem: Raid 5 vs Raid 1

Problem: DEll XPS 600

Problem: How do I configure ssh on a cisco 1721 router

Problem: Windows 2000 Server - Print Server Issue

Problem: Issue with Citrix XP on windows Service pack 4 - Users get a blank desktop with no Icons.

Problem: I am looking for a compatible board with an ECS Elitegroup board model L4S5MG/651+