Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to deny access TO asa https / ssl from outside interface?

Hi all,

Hope this is quick win question. I have a Cisco ASA 5510 running 8.4 with ASDM 6.4. I've configured the ASA to terminate IPSec VPN clients successfully using the Cisco VPN client, we also have a couple of users with Anyconnect clients for IPSec. I don't have any SSL VPN clients configured. A recent audit has noticed the ASA is answering on port 443 when accessed from the outside. A cert error is thrown up and when continuing the browser displays a 404 error which is fine. Problem is I don't want the ASA to answer on port 443 for connections made to that interface. Reluctant to start playing around with ACL's as the connections on 443 are to the ASA and not through it, there has to be a better way. Any ideas.

4 REPLIES

Hi , Answer me few things ,

Hi ,

 Answer me few things , do your asa is configured for both IPSEC VPN Client & Any connect VPN setup ?? or its only for IPSEC VPN client .

Your above statement is contradicting ( we also have a couple of users with Anyconnect clients for IPSec) , for your understanding anyconnect dont use IPSEC as protocol , its uses SSL/443 as protocol . 

 

HTH

Sandy

 

New Member

Hi Sandy,We've pre-depolyed

Hi Sandy,

We've pre-depolyed our 2 anyconnect clients, so we use IPSec to connect, if you follow the anyconnect wizard step 3 (VPN Protocols) you have an option to only use IPSec and turn off SSL. We're not using SSL for deployment of these clients.

Thanks

Hi ,  If i understand your

Hi , 

 If i understand your requirement correctly , you want to run IPSEC only & you want to disable SSL/anyconnect  WebVPN .

on your configuration under webVPN . disable on the interface connecting to internet ,this will disable your existing any connect setup 

hostname(config)# webvpn
hostname(config-webvpn)# no enable outside

HTH

Sandy

 

New Member

Hi All,Thanks for responses.

Hi All,

Thanks for responses. Managed to solve the problem by adding a management  ACL on the outside. I wanted to deny requests to the ASA not through it, anyway that solved the problem so if anyone connects to the outside interface the ASA doesn't respond with the SSC error anymore it just drops the packet.

 

957
Views
0
Helpful
4
Replies
CreatePlease login to create content