cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


140
Views
0
Helpful
5
Replies
Participant

ASA REST API and AnyConnect page

Hello.

If I have enabled http server on outside for AnyConnect page, and want to enable REST API plugin, how I can restrict REST request only on inside interface?

Thank You

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
5 REPLIES 5
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA REST API and AnyConnect page

Hi,
You would restrict access to the ASA API similar to how you would restrict access to ASDM. E.g:-

http server enable
http 192.168.0.0 255.255.0.0 inside

HTH

Participant

Re: ASA REST API and AnyConnect page

If I do this, will my WebVpn portal on outside interface continue working?
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
Highlighted
Hall of Fame Master

Re: ASA REST API and AnyConnect page

Yes - it will continue to work.

The "http server" command (and restrictions you add to it) relates to management connections to the ASA (ASDM and REST API). We typically recommend that you do NOT allow https server on the outside interface. It exposes the management plane to potential vulnerabilities and denial of service attacks.

Your remote access VPN (a data plane service) is enabled (i.e. listening for https connections to the service) via the "enable <nameif> in the webvpn section of the configuration.

Participant

Re: ASA REST API and AnyConnect page

Thank You!
Sorry for my stupid question :-)
I have already http server only inside :-)
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
Hall of Fame Master

Re: ASA REST API and AnyConnect page

You're welcome.

No worries - it's a perfectly legitimate question and the documentation could make the distinction more clearly.