06-03-2014 01:43 AM - edited 02-21-2020 05:11 AM
Hi all,
Hope this is quick win question. I have a Cisco ASA 5510 running 8.4 with ASDM 6.4. I've configured the ASA to terminate IPSec VPN clients successfully using the Cisco VPN client, we also have a couple of users with Anyconnect clients for IPSec. I don't have any SSL VPN clients configured. A recent audit has noticed the ASA is answering on port 443 when accessed from the outside. A cert error is thrown up and when continuing the browser displays a 404 error which is fine. Problem is I don't want the ASA to answer on port 443 for connections made to that interface. Reluctant to start playing around with ACL's as the connections on 443 are to the ASA and not through it, there has to be a better way. Any ideas.
06-03-2014 01:55 AM
Hi ,
Answer me few things , do your asa is configured for both IPSEC VPN Client & Any connect VPN setup ?? or its only for IPSEC VPN client .
Your above statement is contradicting ( we also have a couple of users with Anyconnect clients for IPSec) , for your understanding anyconnect dont use IPSEC as protocol , its uses SSL/443 as protocol .
HTH
Sandy
06-03-2014 02:05 AM
Hi Sandy,
We've pre-depolyed our 2 anyconnect clients, so we use IPSec to connect, if you follow the anyconnect wizard step 3 (VPN Protocols) you have an option to only use IPSec and turn off SSL. We're not using SSL for deployment of these clients.
Thanks
06-03-2014 05:53 AM
Hi ,
If i understand your requirement correctly , you want to run IPSEC only & you want to disable SSL/anyconnect WebVPN .
on your configuration under webVPN . disable on the interface connecting to internet ,this will disable your existing any connect setup
hostname(config)# webvpn
hostname(config-webvpn)# no enable outside
HTH
Sandy
06-04-2014 07:00 AM
Hi All,
Thanks for responses. Managed to solve the problem by adding a management ACL on the outside. I wanted to deny requests to the ASA not through it, anyway that solved the problem so if anyone connects to the outside interface the ASA doesn't respond with the SSC error anymore it just drops the packet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide