Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3359
Views
0
Helpful
4
Replies

Disable 443 Service on Outside Interface with RAVPN

Go to solution
SamDominguez6839
Level 1
Level 1

‎04-06-2021 08:36 PM - edited ‎04-06-2021 08:50 PM

I am trying to forward port 443 to a local on prem proxy so I can host webservers. I also need remote access vpn enabled which as far as I can tell automatically enables the 443 service on the outside interface. This is happening even when I disable SSL and change the ports in the VPN config within FMC. 

 

When I go to deploy the NAT rule to forward 443 while the VPN is enabled I get the following error.

 

[ManualNatRule 6] Interface used in translated source and port used in translated source port are also being used in VPN. Please re-configure the interface and/or port.

 

The only way I have gotten the port to forward is if I disable the VPN which is not an option. I've tried everything I can think of and have found on google including flexconfig commands like:

"group-policy DfltGrpPolicy attributes

no webvpn"

and

"webvpn

keepout "503 Service Unavailable"

and

"webvpn
portal-access-rule 1 deny any"

Which was found in the below bug report.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp81746/?rfs=iqvred

 

However none of these stop the FTD from binding the 443 service to the crypto ipsec config on the outside interface. Is there any way to stop that from happening?

 

Thank you!

 

 

 

 

Preview file
21 KB
Preview file
42 KB
Preview file
7 KB
Preview file
14 KB
Preview file
22 KB
Preview file
22 KB
Preview file
20 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SamDominguez6839
Level 1
Level 1

‎04-09-2021 06:51 PM

This was solved by disabling ipsec on the access interface, and changing the ports on DTLS/SSL. Where can I put in a feature request to change the ipsec proposal port? 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-09-2021 09:55 AM

Can you check the connection profile, access interfaces tab? You need to change the web access port number and DTLS port number there to make sure the FTD is not listening on those. It will try to use 443 there for the client downloads and profile update even for an IKEv2 remote access VPN.

0 Helpful

Go to solution
SamDominguez6839
Level 1
Level 1
In response to Marvin Rhoads

‎04-09-2021 03:50 PM

Hey Marvin,

 

Thanks for the reply. I've tried changing the port on the access interface tab to several different ports to no avail. In my initial post I attached a screenshot (vpnAI.png) showing it changed to port 8000 with dtls and ssl disabled. I've tried changing it to other ports as well like 8443, 8080, and random ephemeral ports but still no go. Even with these settings changed within FMC when I do a show run | i 443 I still get whats showing In the "showrun443.png" attached screenshot.

 

I'll give it another shot by trying to create a brand new policy from scratch. I am currently working with TAC on this issue as well and will update this post with further findings.

 

Thanks!

Sam

 

 

 

0 Helpful

Go to solution
SamDominguez6839
Level 1
Level 1

‎04-09-2021 04:39 PM

It seems to be the ipsec proposal that is using port 443. Is there a way to change that?

Preview file
32 KB
0 Helpful

Go to solution
SamDominguez6839
Level 1
Level 1

‎04-09-2021 06:51 PM

This was solved by disabling ipsec on the access interface, and changing the ports on DTLS/SSL. Where can I put in a feature request to change the ipsec proposal port? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card