Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3000
Views
5
Helpful
9
Replies

Help block 443 after diabling webvpn

Go to solution
manish arora
Level 6
Level 6

‎08-02-2010 04:52 PM - edited ‎03-11-2019 11:20 AM

Hi Guys,

well, I configured webvpn on a cisco 5505 for test purposes , everything went well. Now , i disabled the webvpn using :-

asa(config)#webvpn

asa(config-webvpn)# no enable outside.

Now, the problem is that after disabling the web vpn , it stopped working but the firewall outside ip which i was using for webvpn is still active for TCP port 443. i have tried few things but have no idea on how i can disable this port 443 access to the firewall outside ip.

please advice and guide me in right direction.

thanks

Manish

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to manish arora

‎08-02-2010 06:42 PM

Hello,

Magnus is correct. I tried it in one of our lab firewalls and verified it. I

am running 8.3 code version.

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

ASA(config)# http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

SSL 0044146f 192.168.1.254:443 0.0.0.0:* LISTEN

ASA(config)# no http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee
In response to manish arora

‎08-02-2010 07:51 PM

Manish,

     After removing those http commands, what do you see in 'show asp table socket'. That output is usually a reliable way to see if there is a LISTENER attached to that socket.

- Magnus

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎08-02-2010 05:37 PM

Manish,

     Do you have any 'http' config lines for the outside interface? Please send the following output:

show run http

show asp table socket

- Magnus

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to Magnus Mortensen

‎08-02-2010 05:47 PM

hi Magnus,

i have attched the requested output.

216.X.14.2 is my firewall outside,I have whitelisted few public ip's for http access , these are my remote locations so i need give them access for asdm.

thanks

manish

69901-asa.txt.zip
0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee
In response to manish arora

‎08-02-2010 06:20 PM

Manish,

     Since you have "http server enable" and http lines related to the outside interface, the outside interface IP of the firewall will have an OPEN HTTPS socket so you can do ASDM from the outside. If you want to 'close' the https connection on the outside interface you will need to remove any http lines related to the outside interface.

- Magnus

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to Magnus Mortensen

‎08-02-2010 06:30 PM

Really,

i have another 5505 , running the same code and has similar configuration for http server but on this firewall i never configured WEBVPN so when i try to run NMAP against both of the firewalls , i see no port open for firewall where i didnot configured--then-disabled webvpn , where as this firewall shows that port 443 is open.

another strange issue is that even after disabling the http server on this firewall, in the web browser it times-out but the NMAP still shows that port 443 is open even though i cant telnet into it using port 443.

well , i will troubleshoot it further + give this firewall a reboot at night and will update you. i also found that the code 8.0(4) that i am running did had few issues with webvpn, so i will look further into them.

thanks

Manish

0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee
In response to manish arora

‎08-02-2010 06:35 PM

Manish,

     If NMAP is still showing it open, it may be best to grab some simple captures on the outside interface and see what packets come in from the NMAP and what it looks like on the wire:

capture out int outside match tcp any host eq 443

! Run the nmap test

show cap out detail

- Magnus

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to Magnus Mortensen

‎08-02-2010 06:47 PM

yeah , even after disabling http server using "no http server enable" , the nmap packets were recieved by the firewall on outside interface port 443 and reply was sent back. I just issued comman "revert webvpn all" but i needs to be followed up a reboot , so i will do that tonight and will update you tomorrow.

thanks

Manish

0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee
In response to manish arora

‎08-02-2010 07:51 PM

Manish,

     After removing those http commands, what do you see in 'show asp table socket'. That output is usually a reliable way to see if there is a LISTENER attached to that socket.

- Magnus

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to manish arora

‎08-02-2010 06:42 PM

Hello,

Magnus is correct. I tried it in one of our lab firewalls and verified it. I

am running 8.3 code version.

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

ASA(config)# http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

SSL 0044146f 192.168.1.254:443 0.0.0.0:* LISTEN

ASA(config)# no http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to Nagaraja Thanthry

‎08-02-2010 11:22 PM

Thanks Mr. M & Mr NT , As I said before , i was running   8.0(4) version on that asa and i did hit a known bug that leaves Webvpn configuiration even if you remove it from the outside interface, i have http access open for my whitelist ip's but Nmap is showing all filtered from random locations. after using command "revert webvpn all " and reload of the device fixed the issue.

learned a few things :-

1> sh asp table socket is a preety much new command for me .

2> Never Play with production devices, should always ask company for test equipment    lol .

Thanks for quick response guys

Manish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card