Good thought! It is enabled:

Paul Masterton · ‎08-09-2016

Hi All,

Bit of a puzzler, I've added an interface for a backup line on an ASA. The ACL for the interface is "deny ip any any". An nmap scan of the interface from the outside shows all ports *except* TCP/443 closed:

[blah]$ nmap -p0-65000 <snip>

Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-08 20:02 CEST
Host is up (0.025s latency).
Not shown: 65000 filtered ports
PORT STATE SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 138.34 seconds

ACL shows a normal hit, so should drop the packet without a RST (like it does for all other ports!)

3

Aug 08 2016

18:08:55

710003

<snip>

46960

<snip>

443

TCP access denied by ACL from <snip>/46960 to OUTSIDE_BACK:<snip>/443

Some thoughts:

It's not an upstream device as if I shut the interface on the ASA the port becomes "filtered".
The ASA is running WebVPN but it's not bound to this interface.
The only "special" thing for the interface is there's no route out of it. It's used for some egress PBR

Anyone got a clue?

Cristian Nilsson · ‎08-09-2016

Hello.

Do you have the http command enbaled for that interface?

http server enable 443

http 0.0.0.0 0.0.0.0 <interface>

//Cristian

Paul Masterton · ‎08-09-2016

Good thought! It is enabled:

http server enable 443

But it's not bound to that interface (an inside one and a management one) and even then its not 0.0.0.0 but selected subnets that wouldn't match this test. Anything else I'm missing?

ASA - TCP/443 shows closed, not filtered?! All other ports filtered, default deny.