Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4024
Views
0
Helpful
5
Replies

Prevent the ASA from displaying the SSLVPN portal page, at all.

Go to solution
irbk
Level 1
Level 1

‎11-06-2023 07:12 AM - edited ‎11-06-2023 07:31 AM

We have a "critical security finding" even though our ASA SSLVPN web portal login page is shutdown on our ASA 5525.  The "test" that is done is an http get is sent to https://<external IP>:443/+CSCOE+/logon.html and a response is returned.  The response that's returned is the appropriate shutdown notification page as configured on my ASA.  However, this is an automated system that no human looks at so the fact that it returns a page at all is a "critical security finding".  I don't want to have to completely tear down the VPN configuration as it will be used again in the future.  Is there a way for me to prevent the ASA from sending any kind of response to the http get while still leaving the configuration in place?  
Is it as simple as 
WebVPN
no enable outside


That doesn't appear to break any of the SSLVPN config but doesn't bring up any kind of webpage. Then it seems like I can re-enable with 
WebVPN
enable outside
anyconnect enable

Then I'm able to reconnect to the SSLVPN.  This wouldn't effect any IPSec VPN connections, right?  That's just the SSLVPN connections?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-06-2023 07:34 AM - edited ‎11-06-2023 07:35 AM

You can just disable the binding of the SSL VPN to the interface. Deselect the binding in ASDM under the Remote Access VPN configuration section or, in cli, use:

 

webvpn
no enable <nameif>

 

Everything else can remain in place for future use/activation.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-06-2023 07:34 AM - edited ‎11-06-2023 07:35 AM

You can just disable the binding of the SSL VPN to the interface. Deselect the binding in ASDM under the Remote Access VPN configuration section or, in cli, use:

 

webvpn
no enable <nameif>

 

Everything else can remain in place for future use/activation.

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to Marvin Rhoads

‎11-06-2023 07:36 AM - edited ‎11-06-2023 07:37 AM

That only will have effect on the SSLVPN?  That won't do anything to any IPSecVPN tunnels or ASDM access on the outside interface?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to irbk

‎11-06-2023 07:46 AM

Correct. The "webvpn" section of the config is specific to SSLVPN.

IPsec VPNs will have "ikev1/ikev2 enable <nameif>" commands for that listener process and ASDM uses the "http <address> <interface>" command along with "http server enable".

Three different functions with three different settings to enable them.

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to Marvin Rhoads

‎11-06-2023 07:48 AM

Perfect!  That's what I thought but I just wanted to verify.  Thanks!

0 Helpful

Go to solution
EthanIsenberg75263
Level 1
Level 1

‎07-14-2025 08:08 AM

I have the same issue where our cyber insurance folks test by going to  https://<external IP>:443/+CSCOE+/logon.html and get a positive response and deem it a "critical security finding" . I am unable to run the following as it will disabled my SSL connections - This is a dedicated remote access VPN firewall that allows connections via the Secure Client only - no clientless.

As a work-around I have found that if I disable the portal login page with the following - once in place you no longer get a response from the page

!
webvpn
  keepout "portal disabled"
!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card