Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1902
Views
0
Helpful
4
Replies

Prevent the ASA from displaying the SSLVPN portal page, at all.

Go to solution
irbk
Level 1
Level 1

‎11-06-2023 07:12 AM - edited ‎11-06-2023 07:31 AM

We have a "critical security finding" even though our ASA SSLVPN web portal login page is shutdown on our ASA 5525.  The "test" that is done is an http get is sent to https://<external IP>:443/+CSCOE+/logon.html and a response is returned.  The response that's returned is the appropriate shutdown notification page as configured on my ASA.  However, this is an automated system that no human looks at so the fact that it returns a page at all is a "critical security finding".  I don't want to have to completely tear down the VPN configuration as it will be used again in the future.  Is there a way for me to prevent the ASA from sending any kind of response to the http get while still leaving the configuration in place?  
Is it as simple as 
WebVPN
no enable outside


That doesn't appear to break any of the SSLVPN config but doesn't bring up any kind of webpage. Then it seems like I can re-enable with 
WebVPN
enable outside
anyconnect enable

Then I'm able to reconnect to the SSLVPN.  This wouldn't effect any IPSec VPN connections, right?  That's just the SSLVPN connections?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-06-2023 07:34 AM - edited ‎11-06-2023 07:35 AM

You can just disable the binding of the SSL VPN to the interface. Deselect the binding in ASDM under the Remote Access VPN configuration section or, in cli, use:

 

webvpn
no enable <nameif>

 

Everything else can remain in place for future use/activation.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-06-2023 07:34 AM - edited ‎11-06-2023 07:35 AM

You can just disable the binding of the SSL VPN to the interface. Deselect the binding in ASDM under the Remote Access VPN configuration section or, in cli, use:

 

webvpn
no enable <nameif>

 

Everything else can remain in place for future use/activation.

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to Marvin Rhoads

‎11-06-2023 07:36 AM - edited ‎11-06-2023 07:37 AM

That only will have effect on the SSLVPN?  That won't do anything to any IPSecVPN tunnels or ASDM access on the outside interface?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to irbk

‎11-06-2023 07:46 AM

Correct. The "webvpn" section of the config is specific to SSLVPN.

IPsec VPNs will have "ikev1/ikev2 enable <nameif>" commands for that listener process and ASDM uses the "http <address> <interface>" command along with "http server enable".

Three different functions with three different settings to enable them.

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to Marvin Rhoads

‎11-06-2023 07:48 AM

Perfect!  That's what I thought but I just wanted to verify.  Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card