topic Hi , If i understand your in Network Security

How to deny access TO asa https / ssl from outside interface?

kevin.woodhouse — Fri, 21 Feb 2020 13:11:59 GMT

Hi all,

Hope this is quick win question. I have a Cisco ASA 5510 running 8.4 with ASDM 6.4. I've configured the ASA to terminate IPSec VPN clients successfully using the Cisco VPN client, we also have a couple of users with Anyconnect clients for IPSec. I don't have any SSL VPN clients configured. A recent audit has noticed the ASA is answering on port 443 when accessed from the outside. A cert error is thrown up and when continuing the browser displays a 404 error which is fine. Problem is I don't want the ASA to answer on port 443 for connections made to that interface. Reluctant to start playing around with ACL's as the connections on 443 are to the ASA and not through it, there has to be a better way. Any ideas.

Hi , Answer me few things ,

SANTHOSHKUMAR SARAVANAN — Tue, 03 Jun 2014 08:55:58 GMT

Hi ,

Answer me few things , do your asa is configured for both IPSEC VPN Client & Any connect VPN setup ?? or its only for IPSEC VPN client .

Your above statement is contradicting ( we also have a couple of users with Anyconnect clients for IPSec) , for your understanding anyconnect dont use IPSEC as protocol , its uses SSL/443 as protocol .

HTH

Sandy

Hi Sandy,We've pre-depolyed

kevin.woodhouse — Tue, 03 Jun 2014 09:05:07 GMT

Hi Sandy,

We've pre-depolyed our 2 anyconnect clients, so we use IPSec to connect, if you follow the anyconnect wizard step 3 (VPN Protocols) you have an option to only use IPSec and turn off SSL. We're not using SSL for deployment of these clients.

Thanks

Hi , If i understand your

SANTHOSHKUMAR SARAVANAN — Tue, 03 Jun 2014 12:53:56 GMT

Hi ,

If i understand your requirement correctly , you want to run IPSEC only & you want to disable SSL/anyconnect WebVPN .

on your configuration under webVPN . disable on the interface connecting to internet ,this will disable your existing any connect setup

hostname(config)# webvpn
hostname(config-webvpn)# no enable outside

HTH

Sandy

Hi All,Thanks for responses.

kevin.woodhouse — Wed, 04 Jun 2014 14:00:15 GMT

Hi All,

Thanks for responses. Managed to solve the problem by adding a management ACL on the outside. I wanted to deny requests to the ASA not through it, anyway that solved the problem so if anyone connects to the outside interface the ASA doesn't respond with the SSC error anymore it just drops the packet.