Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
1
Replies

Cisco ASA Clientless VPN

SAM_2023
Level 1
Level 1

‎10-26-2023 03:37 AM

Hi

ASA VPN could also be configured to host clientless VPN via a browser apart from the Cisco any connect client application.

if I only use Cisco for any connect client application can the Clientless VPN be disabled which is accessible via browser or do we need to enable it in order to be accessed in the first place and is not configured by default?

https://vpn.xyz.com/+CSCOE+/logon.html

The issue is that when the below URL is accessible attackers try to brute force logins even with MFA and legitimate users can get locked. Is there a way to permanently disable this URL from accessible?

Does Cisco ASA run an embedded web service to facilitate this web UI in the browser while using a clientless VPN? Is there an option to disable the web service itself if we are only connecting via the client application

Regards 

SAM

 

 

Labels:
0 Helpful
1 Reply 1

JP Miranda Z
Cisco Employee
Cisco Employee

‎10-27-2023 09:00 AM

Hi SAM_2023,

 

That's a really good point and question, you can actually disable the clientless connection by running one of this options:

 

1- Keepout

config t

webvpn

keepout "message"

 

2- Portal Access deny

config t

webvpn

portal-access-rule 1 deny any

 

8About the possible brute force i will recommend you to configure a vpn-simultaneous login 0 in your default group policy, just keep in mind you need to configure a vpn-simultaneous login 3* manually in all your other group policies:

config

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

 

*vpn-simultaneous login 3 is the default value.

 

Hope this helps!

 

-JP-

0 Helpful
Customers Also Viewed These Support Documents