Disabling ASA SSL but Keep Ipsec

sysad43 · ‎08-27-2024

I am seeing what appears to be a botnet (mainly Brazil IPs) trying to brute force connect to my ASA on port 443. Hundreds of thousands of attempts per day, but slow enough not to trip threat detection. Ive created a acl group to block control plane connections and added a bunch of ip ranges, but they appear to be using thousands of different ranges so this is not going to work very well.

What I think we could do is turn off SSL VPN to stop 443 from listening, but Im not sure if it would affect our Secure Client users (or site to site?). We use IPSEC entirely with MFA through azure. Im also primarly a ASDM user, not a firewall expert by any means.

Is this as simple as unchecking the SSL box for outside access on the connection profile setup page?

Marvin Rhoads · ‎08-27-2024

Your secure client users must be using SSL/TLS as SAML requires it.

While you can use IPsec for remote access VPN, it is not possible when using SAML for authentication since SAML (both client to server (ASA) and server to IDP (Azure)) runs over SSL/TLS.

sysad43 · ‎08-27-2024

Ok thats what I was worried about. I do see users initiate a SSL handshake first before moving to IPSec. I suppose I have to get ISP to block this botnet upstream of the ASA then.

MHM Cisco World · ‎08-27-2024

Yes SAML run over ssl/tls but not through asa.

The SAML will done between client and Gw over ssl/tls

@sysad43 I think you can disbale it.

Marvin Rhoads · ‎08-27-2024

@MHM Cisco World please see the flow in the following diagram. The redirect from the SP (ASA or FTD) and HTTP POST back from the IDP (Entra ID running in Azure in this case) both run over SSL/TLS. Disabling SSL will break that flow.

MHM Cisco World · ‎08-27-2024

Redirect if he use ssl anyconnect then he need http (ssl/tls) but if he use ipsec then the redirect will be encapsulate inside IPsec ikev2 tunnel

MHM

sysad43 · ‎08-27-2024

If it helps, here is our config

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.01075-webdeploy-k9.pkg 2
anyconnect enable
saml idp https://sts.windows.net/OURSAMLID
url sign-in https://login.microsoftonline.com/OURSAMLID/saml2
url sign-out https://login.microsoftonline.com/OURSAMLID/saml2
base-url https://OURASA
trustpoint idp AzureAD-AC-SAML2
no signature
no force re-authentication
tunnel-group-list enable
keepout "Service out temporarily."
cache
disable
error-recovery disable

MHM Cisco World · ‎08-28-2024

can you capture traffic in outside and specify
1- match ip host <public ip of clinet> host <public ip of ASA outside interface>
2- tcp port 443

if you detect any traffic between client and ASA then both need SSL/TLS and @Marvin Rhoads is correct it not then you can disable it.

MHM

sysad43 · ‎08-28-2024

I will try that, but at least in syslog I do see 443 traffic initially from VPN clients. XXXX are client IP

2024-08-28 11:35:03.018 Aug
Aug 28 2024 11:35:03: %ASA-6-302013: Built inbound TCP connection 19566647 for outside:xxxx/60362 (xxxx/60362) to identity:ASA/443 (ASA/443)2024-08-28 11:35:03.378 Aug

Aug 28 2024 11:35:03: %ASA-6-725001: Starting SSL handshake with client outside:xxxx/60362 to ASA/443 for TLS session
2024-08-28 11:35:03.378 Aug

Aug 28 2024 11:35:03: %ASA-6-725016: Device selects trust-point ASDM_TrustPoint7 for client outside:xxxx/60362 to ASA/443
2024-08-28 11:35:03.792 Aug

Aug 28 2024 11:35:03: %ASA-6-725002: Device completed SSL handshake with client outside:xxxx/60362 to ASA/443 for TLSv1.2 session
2024-08-28 11:35:03.822 Aug

Aug 28 2024 11:35:03: %ASA-6-725007: SSL session with client outside:xxxx/60362 to ASA/443 terminated

MHM Cisco World · ‎08-28-2024

outside:xxxx/60362 <<- this xxxx is public IP of client if Yes then client use http directly not inside IPSec tunnel.

And hence you can not disable it

MHM