cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


469
Views
0
Helpful
4
Replies
Highlighted
Beginner

SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

Dear All,

 

We use a third-party tool for vulnerability tests on our internet facing devices and for my Cisco ASA5508, i got this below error.

 

SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr .

 

I am not hosting any gateway service from this ASA, no SSL VPN or Anyconnect service.

 

I do not want to purchase a third-party certificate to make this error go away. 

 

I do have IPSec tunnels running from here and remoteVPN service (not using anyconnect). 

 

So, i did some research and understood that i need to disable https/SSL/443 services on the ASA to make this error go away. But, i would like to know if there would be any impact for my other services. and also i would like to know if i can accomplish this through some ACL on my outside interface.

 

CC-ASA5508-1# sh run http
http server enable
http CCNET 255.255.0.0 INTERNAL
http 10.0.0.0 255.0.0.0 INTERNAL
CC-ASA5508-1# sh asp table socket


Protocol Socket State Local Address Foreign Address
TCP 02016d48 LISTEN 10.207.4.2:22 0.0.0.0:*
SSL 0201f978 LISTEN 10.207.4.2:443 0.0.0.0:*
SSL 02025678 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:*
DTLS 00037b28 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:*
TCP c1a01998 ESTAB 10.207.4.2:22 172.16.32.77:59549
CC-ASA5508-1#

 

Thank you very much in advance.

Everyone's tags (1)
4 REPLIES 4
Participant

Re: SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

If you don't use VPN or ASDM on the firewall you won't be affecting anything by turning off SSL services.  

Beginner

Re: SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

Hi Ben,

 

Thank you very much for the response. I do use IPSec VPN and also Remote VPN. (we use the widows and MAC in-built VPN clients at customer laptops). So, will these be affected ?

Participant

Re: SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

IPSec will not be affected they don't use 443. Remote VPN however likely would be, most VPN clients require 443.

 

If you use remote VPNs though what do you have for a cert on the outside interface a self-signed? Is it signed with your company's PKI that the clients trust? If that is the case I wouldn't worry too much about the error, the cert is valid it is just the 3rd party tool that thinks it is untrusted.  

Beginner

Re: SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

Yes, I do have a self-signed Certificate on my ASA. We use L2TP/Ipsec protocol for the remote VPN. So, would it still be using 443 in the background. 

 

I am sorry for so many questions. am not so good with the certificate concepts. 

 

thank you very much.