topic Hi, in Network Security

Opening UDP Ports on Firewall

Saeedullah Khan — Tue, 12 Mar 2019 08:06:32 GMT

Hi Folks,

Is it secure to opening the UDP ports range (50,000 - 65,000) for VOIP on the firewall from the outside for video conferencing?

Saeed

Hi,

kvaldelo — Wed, 10 Aug 2016 18:48:19 GMT

Hi,

You can open the ports though just take in count the security measures such as creating granular and specific rules matching only the necessary source and destinations

Hello Saeedullah. I have a

nspasov — Tue, 16 Aug 2016 20:00:12 GMT

Hello Saeedullah. I have a couple of questions for you:

1. Do you have a set of outside IPs that you are looking to open this to?

2. Are you looking to open these ports to an individual internal IP? Like a VCS or MCU type device

Thank you for rating helpful posts!

Hi Bro

shunmubala — Wed, 17 Aug 2016 06:17:20 GMT

Hi Bro

If it's required that those wide range of UDP ports be opened, then you’ve no choice but to do it. I personally don’t like this, but I’ve been in your shoes before.

However, I wouldn’t worry much because by default, you’ve these settings enabled in your Cisco FW;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

However, it’s best that you harden your Cisco ASA FW with the other features available such as threat detection as shown below;

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.10.173.0 255.255.255.252

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Lastly, there are other features you can enable as well such as Reverse-Path Forwarding, Multi Framework Policy i.e. class-map / policy-map for your UDP traffic etc.

Good luck sir!

Please do check-out some configuration notes below;

1. https://www.petenetlive.com/KB/Article/0001111

2. https://supportforums.cisco.com/discussion/11208446/port-range-forwarding-post-83-asa