topic Re: Disable 443 Service on Outside Interface with RAVPN in Network Security

Disable 443 Service on Outside Interface with RAVPN

SamDominguez6839 — Wed, 07 Apr 2021 03:50:08 GMT

I am trying to forward port 443 to a local on prem proxy so I can host webservers. I also need remote access vpn enabled which as far as I can tell automatically enables the 443 service on the outside interface. This is happening even when I disable SSL and change the ports in the VPN config within FMC.

When I go to deploy the NAT rule to forward 443 while the VPN is enabled I get the following error.

[ManualNatRule 6] Interface used in translated source and port used in translated source port are also being used in VPN. Please re-configure the interface and/or port.

The only way I have gotten the port to forward is if I disable the VPN which is not an option. I've tried everything I can think of and have found on google including flexconfig commands like:

"group-policy DfltGrpPolicy attributes

no webvpn"

and

"webvpn

keepout "503 Service Unavailable"

and

"webvpn
portal-access-rule 1 deny any"

Which was found in the below bug report.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp81746/?rfs=iqvred

However none of these stop the FTD from binding the 443 service to the crypto ipsec config on the outside interface. Is there any way to stop that from happening?

Thank you!

Re: Disable 443 Service on Outside Interface with RAVPN

Marvin Rhoads — Fri, 09 Apr 2021 16:55:24 GMT

Can you check the connection profile, access interfaces tab? You need to change the web access port number and DTLS port number there to make sure the FTD is not listening on those. It will try to use 443 there for the client downloads and profile update even for an IKEv2 remote access VPN.

Re: Disable 443 Service on Outside Interface with RAVPN

SamDominguez6839 — Fri, 09 Apr 2021 22:50:43 GMT

Hey Marvin,

Thanks for the reply. I've tried changing the port on the access interface tab to several different ports to no avail. In my initial post I attached a screenshot (vpnAI.png) showing it changed to port 8000 with dtls and ssl disabled. I've tried changing it to other ports as well like 8443, 8080, and random ephemeral ports but still no go. Even with these settings changed within FMC when I do a show run | i 443 I still get whats showing In the "showrun443.png" attached screenshot.

I'll give it another shot by trying to create a brand new policy from scratch. I am currently working with TAC on this issue as well and will update this post with further findings.

Thanks!

Sam

Re: Disable 443 Service on Outside Interface with RAVPN

SamDominguez6839 — Fri, 09 Apr 2021 23:39:59 GMT

It seems to be the ipsec proposal that is using port 443. Is there a way to change that?

Re: Disable 443 Service on Outside Interface with RAVPN

SamDominguez6839 — Sat, 10 Apr 2021 01:51:44 GMT

This was solved by disabling ipsec on the access interface, and changing the ports on DTLS/SSL. Where can I put in a feature request to change the ipsec proposal port?