https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432452#M270363 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P></P><P>Thanks for writing.&nbsp; Sorry for leaving out details.</P><P></P><P>The server team originally asked for ten ports: 50000 50010.&nbsp; The tcp rule specifying any host to <SERVER ip=""> over that range never incremented the hit count.</SERVER></P><P></P><P>Now that 16 thousand ports are open to any host, the traffic is flowing.</P><P></P><P>The senior network guys (i'm a junior net admin) don't seem to have a problem with the rule.&nbsp; I think you and I see it similarly: anyone can connect and that doesn't make security sense.</P><P></P><P>But I think you've answered my question: I need to push for a single ip.&nbsp; Heck, maybe we just narrow it to the ISP range of our user!&nbsp; Even THAT's better.</P><P></P><P>Thanks again!</P><P>Bob</P></BODY></HTML> Tue, 04 Feb 2014 15:41:35 GMT Bob Greer 2014-02-04T15:41:35Z https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432450#M270361 <P>Hi there,</P><P></P><P>Thanks for reading!</P><P></P><P>We have an outside user who's been impacted by an improper deploy of SFTP.&nbsp; The workaround allowing them to connect is this rule:</P><P></P><P style="padding-left: 30px;"><STRONG>access-list outside_access_in_1 extended permit tcp any host &lt;my server's outside ip&gt; range 49000 65535</STRONG></P><P></P><P>I entered an FTP rule opening ports 50000 50010 (according to documentation) but no success.&nbsp; </P><P></P><P>Is there a "dynamic ports" type of rule which would allow me to open fewer than the 16535 ports?&nbsp; The incoming FTP connection has generates a dynamic port &lt;50000.</P><P></P><P>I'd like to furhter close the hole by naming the protocol.</P><P></P><P>Thanks again for reading!<BR />Bob</P> Tue, 12 Mar 2019 03:39:55 GMT https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432450#M270361 Bob Greer 2019-03-12T03:39:55Z https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432451#M270362 <HTML><HEAD></HEAD><BODY><P>Hi Bob,</P><P></P><P>In the ACE&nbsp; you defined, the range is from 49000 - 65535, but later in your question you mention less than 50,000.&nbsp; I'm a little confused by what you are asking.</P><P></P><P>However, if you are hosting the server, then the client should be connecting to your server's IP on port 22, and sourced from some dynamic port.&nbsp; Therefore, the ACL should be something like:</P><P></P><P>&nbsp;&nbsp; access-list outside permit tcp any host <SERVER_IP> eq 22</SERVER_IP></P><P></P><P>But, what your ACL says, is that anyone can connect to your server on ports from 49000 to 65535.&nbsp; Which doesn't make sense.</P><P></P><P>Now, if the client used source ports &lt;50000, and your server was hosting SFTP on port 22, then you could write an ACL such as:</P><P></P><P>&nbsp;&nbsp; access-list outside permit tcp host <CLIENT_IP> lt 50000 host <SERVER_IP> eq 22</SERVER_IP></CLIENT_IP></P><P></P><P>Which would be about as locked down as you could get it.</P><P></P><P>Sincerely,</P><P><BR />David.</P></BODY></HTML> Tue, 04 Feb 2014 02:18:12 GMT https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432451#M270362 David White 2014-02-04T02:18:12Z https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432452#M270363 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P></P><P>Thanks for writing.&nbsp; Sorry for leaving out details.</P><P></P><P>The server team originally asked for ten ports: 50000 50010.&nbsp; The tcp rule specifying any host to <SERVER ip=""> over that range never incremented the hit count.</SERVER></P><P></P><P>Now that 16 thousand ports are open to any host, the traffic is flowing.</P><P></P><P>The senior network guys (i'm a junior net admin) don't seem to have a problem with the rule.&nbsp; I think you and I see it similarly: anyone can connect and that doesn't make security sense.</P><P></P><P>But I think you've answered my question: I need to push for a single ip.&nbsp; Heck, maybe we just narrow it to the ISP range of our user!&nbsp; Even THAT's better.</P><P></P><P>Thanks again!</P><P>Bob</P></BODY></HTML> Tue, 04 Feb 2014 15:41:35 GMT https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432452#M270363 Bob Greer 2014-02-04T15:41:35Z https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432453#M270366 <HTML><HEAD></HEAD><BODY><P>Hi Bob,</P><P></P><P>Yes, I find it highly odd that the clients would need to *connect* to a possible 16k ports!</P><P></P><P>The narrower you can make the hole, the more secure you are.&nbsp; So, if you can reduce the number of ports open and reduce the client IPs which can access the server, both improve the security of the policy.</P><P></P><P>You can look at your syslogs to see who is connecting to the server, and on what IPs/ports.</P><P></P><P>Sincerely,</P><P><BR />David.</P></BODY></HTML> Tue, 04 Feb 2014 18:28:23 GMT https://community.cisco.com/t5/network-security/dynamic-ports/m-p/2432453#M270366 David White 2014-02-04T18:28:23Z