https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275987#M345983 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You have not given any configurations to reference or mentioned at all the ports that were open in the scanner.</P><P></P><P>We would need a bit more information to go on.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 23 Jul 2013 12:11:55 GMT Jouni Forss 2013-07-23T12:11:55Z https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275986#M345979 <P>Dear All,</P><P></P><P>I have configured firewall and allow only <STRONG>port 443</STRONG> and deny all tcp ports for destination, but when i am scanning from port scanner it shows several tcp ports are enabled.. need your seuggestion and help on it.. how to block these tcp ports..</P><P>Early response is required..</P><P></P><P>Thanks</P> Tue, 12 Mar 2019 02:15:48 GMT https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275986#M345979 engrhaiderabbas 2019-03-12T02:15:48Z https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275987#M345983 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You have not given any configurations to reference or mentioned at all the ports that were open in the scanner.</P><P></P><P>We would need a bit more information to go on.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 23 Jul 2013 12:11:55 GMT https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275987#M345983 Jouni Forss 2013-07-23T12:11:55Z https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275988#M345986 <HTML><HEAD></HEAD><BODY><P>Below is the configuration..</P><P></P><P></P><P></P><P><STRONG>access-list extended permit tcp any host ip eq https</STRONG></P><P><STRONG>access-list extended deny ip any any</STRONG></P></BODY></HTML> Tue, 23 Jul 2013 12:25:26 GMT https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275988#M345986 engrhaiderabbas 2013-07-23T12:25:26Z https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275989#M345988 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Still don't know the ports that were supposedly open.</P><P></P><P>Though if that is the ACL you have bound to the <STRONG>"outside"</STRONG> interface on the ASA then it should be blocking the connections through the ASA for everything else other than the TCP/443 for a single destination IP address.</P><P></P><P>Then there is naturally the ASAs own services and ports on which its listening on.</P><P></P><P>You can check that with the following command</P><P></P><P><STRONG>show asp table socket</STRONG></P><P></P><P>Most likely the ports that are open on the ASA are the ones used for management purposes perhaps</P><P></P><P>Those set with the following commands</P><P></P><P><STRONG>telnet</STRONG></P><P><STRONG>ssh</STRONG></P><P><STRONG>http</STRONG></P><P></P><P>You also have the option to create an ACL that blocks all traffic to the ASA <STRONG>"outside"</STRONG> interface IP address. You can then attach it with <STRONG>"access-group"</STRONG> command</P><P></P><P><STRONG>access-group <ACL name=""> in interface outside control-plane</ACL></STRONG></P><P></P><P>This would limit the "To the Box" traffic. Though the above mentioned management commands <STRONG>"telnet", "ssh"</STRONG> and <STRONG>"http"</STRONG> would still override this ACL.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 23 Jul 2013 12:33:17 GMT https://community.cisco.com/t5/network-security/need-help-on-port-blocking-in-asa/m-p/2275989#M345988 Jouni Forss 2013-07-23T12:33:17Z