Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2417
Views
0
Helpful
2
Replies

ASA - Fail PCI Scan - 443

Go to solution
#TCN
Level 1
Level 1

‎01-16-2015 05:06 AM - edited ‎03-11-2019 10:21 PM

Hi All,

My customer has failed a PCI compliance test on their ASA (5510) port 443 ....suspect this is clientless VPN related as the below notes were made in the report relating to the Cisco ASA public IP.

 

Web Directory: /+CSCOE+/ 443/tcp
Web Directory: /+CSCOU+/ 443/tcp
Web Directory: /+webvpn+/ 443/tcp

 

Would this fix be an upgrade to the ASA code itself?

 

Any thoughts or assistance would be greatly appreciated.

 

Cheers

James

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-16-2015 06:06 AM

Hi,

 

I guess those are all related to SSL VPN. Are you using SSL VPN at all then?

 

You could check the "webvpn" configurations with the command

 

show run webvpn

 

or perhaps

 

show run all webvpn

 

I am not sure if a simple command "no webvpn" will disable the the device from listening on that port. In case of management connections configurations like "http" and "ssh" I think the ASA will use those instead of any interface or control-place ACL to define if the connections is allowed or not.

 

If you have software that supports the command "access-group <acl name> in interface <external interface> control-place" (unless I remember the command format wrong) then you could configure a separate ACL with which you limit connectivity to the interface IP address on your ASAs external interface.

 

There is also a command that shows the ports that the device is listening on and active connections to the box

 

show asp table socket

 

I have a feeling though that it might not show everything.

 

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-16-2015 06:06 AM

Hi,

 

I guess those are all related to SSL VPN. Are you using SSL VPN at all then?

 

You could check the "webvpn" configurations with the command

 

show run webvpn

 

or perhaps

 

show run all webvpn

 

I am not sure if a simple command "no webvpn" will disable the the device from listening on that port. In case of management connections configurations like "http" and "ssh" I think the ASA will use those instead of any interface or control-place ACL to define if the connections is allowed or not.

 

If you have software that supports the command "access-group <acl name> in interface <external interface> control-place" (unless I remember the command format wrong) then you could configure a separate ACL with which you limit connectivity to the interface IP address on your ASAs external interface.

 

There is also a command that shows the ports that the device is listening on and active connections to the box

 

show asp table socket

 

I have a feeling though that it might not show everything.

 

- Jouni

0 Helpful

Go to solution
#TCN
Level 1
Level 1

‎01-16-2015 06:25 AM

Thanks Jouni :-)

 

all sorted now

 

Regards,

James

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card