Moving Anyconnect from port 444 to 443 and back after testing

tryingtofixit · ‎07-24-2024

Current anyconnect is set to port 444 (done before my time). Want to switch it to 443 do some testing of new policy/profiles/xml and a new outside cert, then move it back to port 444 with the old policies and cert.

We operate mainly using ASDM due to various knowledge base of the techs. very little CLI

Couple questions:

1) is this possible? This "back and forth" is due to this ASA being the only backup. we use DNS to failover if the primary ASA vpn goes down, not the XML file pushed out with anyconnect that has defined backup servers.

2) Or will the ASA clean out configs and make moving "back and forth" a nightmare.

Thanks

ccieexpert · ‎07-24-2024

this is doable... the only thing is if you are doing testing and you want to test profiles, then your profile has to be updated with the new port.

As i said in your other post, you can build a completely new host entry in the profile (or new profile) with the port #, and you can delete that from the profile when you are done..

the config change of ports is just one line of config.

** Please mark as helpful if this was useful **

MHM Cisco World · ‎07-25-2024

there is no option in profile to set port
ASA can use any port
and profile in which you can set server list there is no need to set port

MHM

ccieexpert · ‎07-25-2024

I love all the VIPs / responders here

without a port in the profile, how will secure client/anyconnect connect to the ASA ??

if port on asa is 444, and profile does not have a port it will still use 443 and connection will fail

Here is the profile snip:

MHM Cisco World · ‎07-25-2024

friend HostAddress can config without L4 Port (use 443 as you mention) and it optional if he not need auto connect

he can check profile in his client and check if hostAdd Op is add or not

MHM

ccieexpert · ‎07-25-2024

friend - ofcourse you can put in the address bar the hostname:port.. if you dont have port in the address bar or the profile , it will connect to 443 (default port) and fail.

Have you tested it ?

MHM Cisco World · ‎07-25-2024

Let wait his reply

Let him check if hostAdd is use in his xml profile or not.

If he dont use this op then he can shift to any port only he need to add new port (other than 443) in his browser url

Thanks

MHM

ccieexpert · ‎07-25-2024

a VPN profile is pretty useless with out a host entry in it.. why would one use it without it ? never seen that.. unless you want to set some other settings..

tryingtofixit · ‎07-26-2024

Thanks for all the input on this. From what I have read, the Webvpn annyconnect on the ASA will only allow one port on each interface for SSL. by default, its 443, we had it at 444. If that is incorrect, please let me know. Yes, we did have in our xml file for anyconnect to use 444 rather than 443.

If you can run port 443 and port 444 on the same interface, how?

Thanks

MHM Cisco World · ‎07-26-2024

If you can run port 443 and port 444 on the same interface, how? You can not use both port in same interface or even different interface' the port must be same and only one in ASA.

No need hostAdd it optional' to be sure select any user and edit it xml profile and check' this best way to see the effect of xml when you convert port

MHM