https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246219#M350350 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess the rule must be from ASDM?</P><P></P><P>It would seem to me that the "Marketing" might be some "object-group" that defines several addresses or subnets/networks.</P><P></P><P>So it seems that will allow all TCP connections through the interface where that rule is attached from the networks/addresses mentioned in "Marketing"</P><P></P><P>Though there is naturally more things that factor to where the hosts can actually connect. Lacking some NAT configuration or having some NAT configuration might mean that even though evertyhing is permitted, they still wouldnt go through. Naturally routing etc might play some part also.</P><P></P><P>The tcp (6) you see when hovering your mouse pointer over the section just tells that we are talking about TCP. The number refers to TCP protocol number which is 6. UDP would be 17</P><P></P><P>You can check the listing here:</P><P><A class="jive-link-external-small" href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml">http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml</A></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please mark correct replys as the correct answer and/or rate helpfull answers.</P><P></P><P>Naturally ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 07 May 2013 15:40:17 GMT Jouni Forss 2013-05-07T15:40:17Z https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246218#M350349 <P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: arial;">I found the following rule on an ASA:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: arial;">Source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp; Service</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: arial;">Marketing&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcp</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: arial;">Does this mean that marketing can access any tcp service since it doesn't specify one (http-80 or https-443 <SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">for example</SPAN>)?</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: arial;">When I move the mouse over it I see it says tcp (6). So is 6 the port and what exactly does this allow?</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: arial;">If my question sounds completely ridiculous just blame it on me being a rookie. Thanks in advance!</P> Tue, 12 Mar 2019 01:40:00 GMT https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246218#M350349 Eric Washington 2019-03-12T01:40:00Z https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246219#M350350 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess the rule must be from ASDM?</P><P></P><P>It would seem to me that the "Marketing" might be some "object-group" that defines several addresses or subnets/networks.</P><P></P><P>So it seems that will allow all TCP connections through the interface where that rule is attached from the networks/addresses mentioned in "Marketing"</P><P></P><P>Though there is naturally more things that factor to where the hosts can actually connect. Lacking some NAT configuration or having some NAT configuration might mean that even though evertyhing is permitted, they still wouldnt go through. Naturally routing etc might play some part also.</P><P></P><P>The tcp (6) you see when hovering your mouse pointer over the section just tells that we are talking about TCP. The number refers to TCP protocol number which is 6. UDP would be 17</P><P></P><P>You can check the listing here:</P><P><A class="jive-link-external-small" href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml">http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml</A></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please mark correct replys as the correct answer and/or rate helpfull answers.</P><P></P><P>Naturally ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 07 May 2013 15:40:17 GMT https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246219#M350350 Jouni Forss 2013-05-07T15:40:17Z https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246220#M350351 <HTML><HEAD></HEAD><BODY><P>Hello Jouni!</P><P></P><P>Yes I am using ASDM and marketing is a network object group with six network objects.</P><P></P><P>So if I understand you correctly, that rule will allow all TCP connections unless there is a NAT rule preventing it?</P><P></P><P>Thanks for your help!</P></BODY></HTML> Tue, 07 May 2013 15:57:30 GMT https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246220#M350351 Eric Washington 2013-05-07T15:57:30Z https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246221#M350352 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I might have just complicated things mentioning about NAT and Routing. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>In general the interface ACL should be the "only" thing on your ASA that controls the traffic.</P><P></P><P>Why I mentioned NAT was simply due to the fact that in some cases even if you had allowed some traffic, if you LACKED a certain NAT configuration, the connection could still fail.</P><P></P><P>In most cases when we are talking about ASA interfaces and local LAN networks there is no NAT configurations between these networks. So the ACL should most of the time be the only thing that controls access between different interfaces of the ASA</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 07 May 2013 16:03:13 GMT https://community.cisco.com/t5/network-security/firewall-access-rule-question-regarding-tcp/m-p/2246221#M350352 Jouni Forss 2013-05-07T16:03:13Z