08-09-2016 01:25 AM - edited 03-12-2019 01:06 AM
Hi All,
Bit of a puzzler, I've added an interface for a backup line on an ASA. The ACL for the interface is "deny ip any any". An nmap scan of the interface from the outside shows all ports *except* TCP/443 closed:
[blah]$ nmap -p0-65000 <snip>
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-08 20:02 CEST
Host is up (0.025s latency).
Not shown: 65000 filtered ports
PORT STATE SERVICE
443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 138.34 seconds
ACL shows a normal hit, so should drop the packet without a RST (like it does for all other ports!)
3 | Aug 08 2016 | 18:08:55 | 710003 | <snip> | 46960 | <snip> | 443 | TCP access denied by ACL from <snip>/46960 to OUTSIDE_BACK:<snip>/443 |
Some thoughts:
Anyone got a clue?
08-09-2016 01:32 AM
Hello.
Do you have the http command enbaled for that interface?
http server enable 443
http 0.0.0.0 0.0.0.0 <interface>
//Cristian
08-09-2016 02:20 AM
Good thought! It is enabled:
http server enable 443
But it's not bound to that interface (an inside one and a management one) and even then its not 0.0.0.0 but selected subnets that wouldn't match this test. Anything else I'm missing?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide