https://community.cisco.com/t5/network-security/application-port/m-p/1640174#M604583 <HTML><HEAD></HEAD><BODY><P>Hi ST,</P><P></P><P>By default in an ASA, if no access-list is applied on the inside interface then all traffic going from inside (higher sec level) to outside(lower sec level) would be allowed.</P><P></P><P>What kind of application are you running ? If its a TCP based application then you do not need to apply any access-list on the outside interface too. this is because, ASA will maintain a state of TCP based applications.</P><P></P><P>Anyways, If you would like to find out the port numbers that the application is using, you can apply captures on the inside interface. This would capture details about the packet</P><P></P><P>Following is the method of applying captures :</P><P></P><P><STRONG>access-list capi permit ip host <SOURCE ip=""> host <DESTINATION ip=""></DESTINATION></SOURCE></STRONG></P><P><STRONG>access-list capi permit ip host <DESTINATION ip=""> host <SOURCE ip=""></SOURCE></DESTINATION></STRONG></P><P><STRONG><BR /></STRONG></P><P><STRONG>capture capin access-l capi interface inside</STRONG></P><P></P><P>Now, when you do a <STRONG>sh capture capin detail</STRONG>, you would be able to see the the source and destination ports.</P><P></P><P>Hope I could answer your question!!</P><P></P><P>Cheers,</P><P>Manasi</P></BODY></HTML> Fri, 24 Dec 2010 14:38:37 GMT manasjai 2010-12-24T14:38:37Z https://community.cisco.com/t5/network-security/application-port/m-p/1640173#M604582 <P>Hi Experts</P><P></P><P>We got one application who's ports are unknown to be opened from inside&nbsp; and outside of ASA,&nbsp; For test purpose we allow permit ip&nbsp; any any and it works. How do I identify the ports. <BR /> <BR />Access-list is applied on inside and outside interface of ASA <BR />ASA 5520 <BR />Version 8.2</P><P></P><P>Hope to get help</P><P></P><P>Thanks</P><P>ST</P> Mon, 11 Mar 2019 19:27:24 GMT https://community.cisco.com/t5/network-security/application-port/m-p/1640173#M604582 saquib.tandel 2019-03-11T19:27:24Z https://community.cisco.com/t5/network-security/application-port/m-p/1640174#M604583 <HTML><HEAD></HEAD><BODY><P>Hi ST,</P><P></P><P>By default in an ASA, if no access-list is applied on the inside interface then all traffic going from inside (higher sec level) to outside(lower sec level) would be allowed.</P><P></P><P>What kind of application are you running ? If its a TCP based application then you do not need to apply any access-list on the outside interface too. this is because, ASA will maintain a state of TCP based applications.</P><P></P><P>Anyways, If you would like to find out the port numbers that the application is using, you can apply captures on the inside interface. This would capture details about the packet</P><P></P><P>Following is the method of applying captures :</P><P></P><P><STRONG>access-list capi permit ip host <SOURCE ip=""> host <DESTINATION ip=""></DESTINATION></SOURCE></STRONG></P><P><STRONG>access-list capi permit ip host <DESTINATION ip=""> host <SOURCE ip=""></SOURCE></DESTINATION></STRONG></P><P><STRONG><BR /></STRONG></P><P><STRONG>capture capin access-l capi interface inside</STRONG></P><P></P><P>Now, when you do a <STRONG>sh capture capin detail</STRONG>, you would be able to see the the source and destination ports.</P><P></P><P>Hope I could answer your question!!</P><P></P><P>Cheers,</P><P>Manasi</P></BODY></HTML> Fri, 24 Dec 2010 14:38:37 GMT https://community.cisco.com/t5/network-security/application-port/m-p/1640174#M604583 manasjai 2010-12-24T14:38:37Z https://community.cisco.com/t5/network-security/application-port/m-p/1640175#M604584 <HTML><HEAD></HEAD><BODY><P>Hi ST,</P><P></P><P>One more thing to point here is if the traffic is getting initiated from the outside, We should necessarily apply an access-l on the outside interface to permit the required traffic!!</P><P></P><P>Thanks,</P><P>Manasi!!</P></BODY></HTML> Fri, 24 Dec 2010 14:42:56 GMT https://community.cisco.com/t5/network-security/application-port/m-p/1640175#M604584 manasjai 2010-12-24T14:42:56Z