Question : Problem: SSL Certificate for VPN on Cisco ASA installation question

Experts,
I have an ASA 5510 that I have set up for SSL VPN using an internal web server for RADIUS authentication. Currently to access the VPN, a user types in HTTPS://IP ADDRESS:PORT#
Since we are using the default SSL certificate from the device the user receives a pop up stating that the certificate has a problem, and they have to choose to continue or not.
I went to purchase a certificate and was told that we can't purchase an SSL cert for an IP address that we lease.
I usually leave the router/firewall configs for a security expert but have had little assistance in this area.
What would be the most secure way to proceed? Add an A record for the IP address through my ISP?
(The address we are using is the address for the external interface on the ASA.) or can we change the address being used for the VPN to be the same address as the one that the firewall translates through NAT?
Would it be better to add an additional address to the ASA just for the SSL VPN, is that possible?

IF anyone could give me some advice on which direction they've gone in setting up an SSL VPN with a 3rd party certificate on an ASA that would be very much appreciated. I've looked at the documentation on installing the cert ..I'm more confused on getting the security right on the addressing - is it a security risk to have an a record pointed to the IP addres of the external interface of my asa?
THANKS so much for your help.

Answer : Problem: SSL Certificate for VPN on Cisco ASA installation question

Sure you can use another IP for remote access, but look at the trade-offs- what you're doing is increasing the complexity of your configuration (harder to maintain), making it harder on your users (they will still get a pop-up), and not significantly increasing your security.

Using an A record is secure since you are using SSL to encrypt both the authentication (username/password) and the data.  As long as you have strong passwords and a good password policy, it should be fine.  As a standard rule (with or without A records), your firewall should be configured to only allow the necessary ports to the ASA server.  If you don't have a firewall, then you should use ACLs on your router and/or the ASA to only allow TCP port 443 and block unnecessary services/ports.  Put it this way, banks use SSL with published A records, so you should be fine.  Just make sure you block everything except port 443 incoming and your passwords are strong.  Here's a Microsoft site for password best practices:
http://technet2.microsoft.com/windowsserver/en/library/e903f7a2-4def-4f5f-9480-41de6010fd291033.mspx?mfr=true
-Todd
Random Solutions  
 
programming4us programming4us