cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5157
Views
5
Helpful
13
Replies

How to disable webvpn on ASA 5508

Allan Stark
Level 1
Level 1

Hello,

I need to disable access to the ASA 5508 by the 443 port from the outside.
Version 9.14(2)
The device works like a regular firewall for the office + has an IKEv1/IPSec tunnel to the AWS cloud.
Device is not used to connect users via vpn outside.
I tried to disable vpn access from the outside (please look at screenshots from ASDM), however, if I try to access the external interface of the device like https://<ip>:443, suddenly an 404 error message is displayed in browser, so I want to completely disable access on port 443 from the outside, since the device is old and probably can be susceptible to vulnerabilities (like https://www.youtube.com/watch?v=gqRmu3VFPVc)

I also tried disable via "no webvpn" in ssh console, but the problem still remains.
I can't disable internal http server, because of ASDM.
ASDM/HTTPS access set only for internal (lan/inside) interface.

PoC for XSS in Cisco ASA CVE-2020-3580 - it can be very helpful in bug bounty & VDP's. Dork: inurl:/+CSCOE+/ site:in , site:com POST /+CSCOE+/saml/sp/acs?tgname=a Huge thanks & credit: https://twitter.com/ptswarm/status/1408050644460650502 (You can get payload from there, I can't put that in ...
13 Replies 13

webvpn
disable outside 

tried, but:

ASA5508(config-webvpn)# disable outside
^
ERROR: % Invalid input detected at '^' marker.

no enable outside 

or try disable Webvpn all with
no webvpn 

when you end make double check by this command 

sh asp table socket

unfortunately 443 still listen on the outside interface:

asa_04.png

no enable outside - done
already performed no webvpn
but access to that 404 page is still there...

sh asp table socket

share output here

asa_04.png

Yes but as I know the WebVPN and ASDM share same port 443.

This page is hardly related to the ASDM. I tried to connect to external (outside) interface from a host on the Internet:

asa_00.png

Hi friend,
as I mention the port 443 is share with ASDM 
but you can disable the page by 

webvpn

 keepout

try this way.

 

webvpn
keepout blank

unfortunately the same

marce1000
VIP
VIP

 

 - Check this thread for hints : https://community.cisco.com/t5/vpn/disabling-clientless-browser-based-vpn/m-p/2909549

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: