Cisco ASA Clientless VPN

SAM_2023 · ‎10-26-2023

Hi

ASA VPN could also be configured to host clientless VPN via a browser apart from the Cisco any connect client application.

if I only use Cisco for any connect client application can the Clientless VPN be disabled which is accessible via browser or do we need to enable it in order to be accessed in the first place and is not configured by default?

https://vpn.xyz.com/+CSCOE+/logon.html

The issue is that when the below URL is accessible attackers try to brute force logins even with MFA and legitimate users can get locked. Is there a way to permanently disable this URL from accessible?

Does Cisco ASA run an embedded web service to facilitate this web UI in the browser while using a clientless VPN? Is there an option to disable the web service itself if we are only connecting via the client application

Regards

SAM

JP Miranda Z · ‎10-27-2023

Hi SAM_2023,

That's a really good point and question, you can actually disable the clientless connection by running one of this options:

1- Keepout

config t

webvpn

keepout "message"

2- Portal Access deny

config t

webvpn

portal-access-rule 1 deny any

8About the possible brute force i will recommend you to configure a vpn-simultaneous login 0 in your default group policy, just keep in mind you need to configure a vpn-simultaneous login 3* manually in all your other group policies:

config

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

*vpn-simultaneous login 3 is the default value.

Hope this helps!

-JP-