Solved: Help block 443 after diabling webvpn

manish arora · ‎08-02-2010

Hi Guys,

well, I configured webvpn on a cisco 5505 for test purposes , everything went well. Now , i disabled the webvpn using :-

asa(config)#webvpn

asa(config-webvpn)# no enable outside.

Now, the problem is that after disabling the web vpn , it stopped working but the firewall outside ip which i was using for webvpn is still active for TCP port 443. i have tried few things but have no idea on how i can disable this port 443 access to the firewall outside ip.

please advice and guide me in right direction.

thanks

Manish

Nagaraja Thanthry · ‎08-02-2010

Hello,

Magnus is correct. I tried it in one of our lab firewalls and verified it. I

am running 8.3 code version.

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

ASA(config)# http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

SSL 0044146f 192.168.1.254:443 0.0.0.0:* LISTEN

ASA(config)# no http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

Hope this helps.

Regards,

NT

View solution in original post

Magnus Mortensen · ‎08-02-2010

Manish,

After removing those http commands, what do you see in 'show asp table socket'. That output is usually a reliable way to see if there is a LISTENER attached to that socket.

- Magnus

View solution in original post

Magnus Mortensen · ‎08-02-2010

Manish,

Do you have any 'http' config lines for the outside interface? Please send the following output:

show run http

show asp table socket

- Magnus

manish arora · ‎08-02-2010

hi Magnus,

i have attched the requested output.

216.X.14.2 is my firewall outside,I have whitelisted few public ip's for http access , these are my remote locations so i need give them access for asdm.

thanks

manish

Magnus Mortensen · ‎08-02-2010

Manish,

Since you have "http server enable" and http lines related to the outside interface, the outside interface IP of the firewall will have an OPEN HTTPS socket so you can do ASDM from the outside. If you want to 'close' the https connection on the outside interface you will need to remove any http lines related to the outside interface.

- Magnus

manish arora · ‎08-02-2010

Really,

i have another 5505 , running the same code and has similar configuration for http server but on this firewall i never configured WEBVPN so when i try to run NMAP against both of the firewalls , i see no port open for firewall where i didnot configured--then-disabled webvpn , where as this firewall shows that port 443 is open.

another strange issue is that even after disabling the http server on this firewall, in the web browser it times-out but the NMAP still shows that port 443 is open even though i cant telnet into it using port 443.

well , i will troubleshoot it further + give this firewall a reboot at night and will update you. i also found that the code 8.0(4) that i am running did had few issues with webvpn, so i will look further into them.

thanks

Manish

Magnus Mortensen · ‎08-02-2010

Manish,

If NMAP is still showing it open, it may be best to grab some simple captures on the outside interface and see what packets come in from the NMAP and what it looks like on the wire:

capture out int outside match tcp any host eq 443

! Run the nmap test

show cap out detail

- Magnus

manish arora · ‎08-02-2010

yeah , even after disabling http server using "no http server enable" , the nmap packets were recieved by the firewall on outside interface port 443 and reply was sent back. I just issued comman "revert webvpn all" but i needs to be followed up a reboot , so i will do that tonight and will update you tomorrow.

thanks

Manish

Magnus Mortensen · ‎08-02-2010

Manish,

After removing those http commands, what do you see in 'show asp table socket'. That output is usually a reliable way to see if there is a LISTENER attached to that socket.

- Magnus

Nagaraja Thanthry · ‎08-02-2010

Hello,

Magnus is correct. I tried it in one of our lab firewalls and verified it. I

am running 8.3 code version.

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

ASA(config)# http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

SSL 0044146f 192.168.1.254:443 0.0.0.0:* LISTEN

ASA(config)# no http 10.1.1.1 255.255.255.255 outside

ASA(config)# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000e35f 192.168.254.106:443 0.0.0.0:* LISTEN

TCP 00018fcf 192.168.254.106:23 0.0.0.0:* LISTEN

TCP 0002a9bf 192.168.254.106:22 0.0.0.0:* LISTEN

Hope this helps.

Regards,

NT

manish arora · ‎08-02-2010

Thanks Mr. M & Mr NT , As I said before , i was running 8.0(4) version on that asa and i did hit a known bug that leaves Webvpn configuiration even if you remove it from the outside interface, i have http access open for my whitelist ip's but Nmap is showing all filtered from random locations. after using command "revert webvpn all " and reload of the device fixed the issue.

learned a few things :-

1> sh asp table socket is a preety much new command for me .

2> Never Play with production devices, should always ask company for test equipment lol .

Thanks for quick response guys

Manish