Re: ASA REST API and AnyConnect page

Oleg Volkov · ‎09-09-2019

Hello.

If I have enabled http server on outside for AnyConnect page, and want to enable REST API plugin, how I can restrict REST request only on inside interface?

Thank You

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Rob Ingram · ‎09-09-2019

Hi,
You would restrict access to the ASA API similar to how you would restrict access to ASDM. E.g:-

http server enable
http 192.168.0.0 255.255.0.0 inside

HTH

Oleg Volkov · ‎09-09-2019

If I do this, will my WebVpn portal on outside interface continue working?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Marvin Rhoads · ‎09-09-2019

Yes - it will continue to work.

The "http server" command (and restrictions you add to it) relates to management connections to the ASA (ASDM and REST API). We typically recommend that you do NOT allow https server on the outside interface. It exposes the management plane to potential vulnerabilities and denial of service attacks.

Your remote access VPN (a data plane service) is enabled (i.e. listening for https connections to the service) via the "enable <nameif> in the webvpn section of the configuration.

Oleg Volkov · ‎09-09-2019

Thank You!
Sorry for my stupid question :-)
I have already http server only inside :-)

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Marvin Rhoads · ‎09-09-2019

You're welcome.

No worries - it's a perfectly legitimate question and the documentation could make the distinction more clearly.