Solved: Re: Trying to prevent Firewall from responding to Https requests

Jerry Warner · ‎02-24-2014

Current Setup

- 2 x ASA 5505 firewalls, running 9.0.4; ASDM 7.1; in active/standby mode

- Using Anyconnect v3.0.3054

- VPN uses IPSec only; SSL Access is Disabled.

- Anyconnect manually installed on Laptops.

- Web Portal Shutdown and browser shows not found

- Clientless SSL VPN Disabled.

Here is my Problem: (This problem is causing my external PCI scan to fail; it is failing because the https site is using ssl3.0 or TLS 1.0)

1. From an External PC, I open any browser and go to my firewall's IP address (i.e. https://8.8.8.8)

2. The browser gives a warning about an untrusted certificate.

3. If I click continue, then the browser tries to go to the Web portal login but then shows the "Page cannot be displayed" page.

What I am trying to do is stop the firewall from responding to HTTPS requests to the Firewall's WAN IP address; if I do step 1 of my problem, I want the browser to timeout due to no response from the firewall.

After reading the admin manuals and researching this problem, I have hit a wall.

Thanks

Marvin Rhoads · ‎02-24-2014

An IPSec (IKEv2) remote access VPN requires use of SSL for the initial session establishment. AFAIK there's no avoiding that. You should explain to your auditor that this is required and that the lack of other services on that interface is a compensating control for the use of SSL.

Sent from Cisco Technical Support iPad App

View solution in original post

Marvin Rhoads · ‎02-24-2014

An IPSec (IKEv2) remote access VPN requires use of SSL for the initial session establishment. AFAIK there's no avoiding that. You should explain to your auditor that this is required and that the lack of other services on that interface is a compensating control for the use of SSL.

Sent from Cisco Technical Support iPad App

Jerry Warner · ‎03-06-2014

Thanks for the info, I purchased an SSL Certificate and all is well.