Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3909
Views
0
Helpful
4
Replies

How to deny access TO asa https / ssl from outside interface?

kevin.woodhouse
Level 1
Level 1

‎06-03-2014 01:43 AM - edited ‎02-21-2020 05:11 AM

Hi all,

Hope this is quick win question. I have a Cisco ASA 5510 running 8.4 with ASDM 6.4. I've configured the ASA to terminate IPSec VPN clients successfully using the Cisco VPN client, we also have a couple of users with Anyconnect clients for IPSec. I don't have any SSL VPN clients configured. A recent audit has noticed the ASA is answering on port 443 when accessed from the outside. A cert error is thrown up and when continuing the browser displays a 404 error which is fine. Problem is I don't want the ASA to answer on port 443 for connections made to that interface. Reluctant to start playing around with ACL's as the connections on 443 are to the ASA and not through it, there has to be a better way. Any ideas.

0 Helpful
4 Replies 4

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎06-03-2014 01:55 AM

Hi ,

 Answer me few things , do your asa is configured for both IPSEC VPN Client & Any connect VPN setup ?? or its only for IPSEC VPN client .

Your above statement is contradicting ( we also have a couple of users with Anyconnect clients for IPSec) , for your understanding anyconnect dont use IPSEC as protocol , its uses SSL/443 as protocol . 

 

HTH

Sandy

 

0 Helpful

kevin.woodhouse
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎06-03-2014 02:05 AM

Hi Sandy,

We've pre-depolyed our 2 anyconnect clients, so we use IPSec to connect, if you follow the anyconnect wizard step 3 (VPN Protocols) you have an option to only use IPSec and turn off SSL. We're not using SSL for deployment of these clients.

Thanks

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to kevin.woodhouse

‎06-03-2014 05:53 AM

Hi , 

 If i understand your requirement correctly , you want to run IPSEC only & you want to disable SSL/anyconnect  WebVPN .

on your configuration under webVPN . disable on the interface connecting to internet ,this will disable your existing any connect setup 

hostname(config)# webvpn
hostname(config-webvpn)# no enable outside

HTH

Sandy

 

0 Helpful

kevin.woodhouse
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎06-04-2014 07:00 AM

Hi All,

Thanks for responses. Managed to solve the problem by adding a management  ACL on the outside. I wanted to deny requests to the ASA not through it, anyway that solved the problem so if anyone connects to the outside interface the ASA doesn't respond with the SSC error anymore it just drops the packet.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card