Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
722
Views
0
Helpful
2
Replies

Trying to prevent Firewall from responding to Https requests

Go to solution
Jerry Warner
Level 1
Level 1

‎02-24-2014 06:10 PM

Current Setup

- 2 x ASA 5505 firewalls, running 9.0.4; ASDM 7.1; in active/standby mode

- Using Anyconnect v3.0.3054

     - VPN uses IPSec only; SSL Access is Disabled.

     - Anyconnect manually installed on Laptops.

     - Web Portal Shutdown and browser shows not found

     - Clientless SSL VPN Disabled.

Here is my Problem: (This problem is causing my external PCI scan to fail; it is failing because the https site is using ssl3.0 or TLS 1.0)

1. From an External PC, I open any browser and go to my firewall's IP address (i.e. https://8.8.8.8)

2. The browser gives a warning about an untrusted certificate.

3. If I click continue, then the browser tries to go to the Web portal login but then shows the "Page cannot be displayed" page.

What I am trying to do is stop the firewall from responding to HTTPS requests to the Firewall's WAN IP address; if I do step 1 of my problem, I want the browser to timeout due to no response from the firewall. 

After reading the admin manuals and researching this problem, I have hit a wall.

Thanks        

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-24-2014 06:35 PM

An IPSec (IKEv2) remote access VPN requires use of SSL for the initial session establishment. AFAIK there's no avoiding that. You should explain to your auditor that this is required and that the lack of other services on that interface is a compensating control for the use of SSL.

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-24-2014 06:35 PM

An IPSec (IKEv2) remote access VPN requires use of SSL for the initial session establishment. AFAIK there's no avoiding that. You should explain to your auditor that this is required and that the lack of other services on that interface is a compensating control for the use of SSL.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Jerry Warner
Level 1
Level 1
In response to Marvin Rhoads

‎03-06-2014 03:57 PM

Thanks for the info, I purchased an SSL Certificate and all is well.

0 Helpful
Top