topic Re: Need Help to Open Port in Network Security

Need Help to Open Port

vishalthakur1983 — Mon, 11 Mar 2019 16:51:36 GMT

Hi,

I want to Open UDP Port 161 on our Cisco ASA 5510.

Kindly guide me to do the same.

Re: Need Help to Open Port

Panos Kampanakis — Wed, 23 Dec 2009 15:33:20 GMT

You need to open the ACLs.

ACL applied to outside interface destined to that port. If you have an inside interface ACL make sure traffic sourced from port 161 is also allowed.

Make sure there is translation for the inside ip address port 161. You will need a static NAT or PAT.

static (inisde,outside)

static (inisde,outside) 161 161

I hope it helps.

Re: Need Help to Open Port

sachinraja — Wed, 23 Dec 2009 15:50:15 GMT

Hi Vishal

Do you want to configure SNMP (UDP 161) on your ASA or do you want to allow SNMP access through your firewall ??

If you want to enable SNMP on ASA please use this guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_snmp.html

if it is the second case -> of allowing SNMP access you can configure access-lists... by default ASA allows traffic from inside to outside (unless you have an ACL already).. for access from outside to inside, you need ACLs

access-list inside permit udp x.x.x.x a.a.a.a eq 161

Let me know the exact issue and we will try to solve it..

Raj

Re: Need Help to Open Port

vishalthakur1983 — Thu, 24 Dec 2009 03:45:40 GMT

Thanks for your response.

We are using What's Up Gold Monitoring tool and to monitor windows services, our support person suggest to open Port (UDP 161) from firewall.

Attached pls find show tech of ASA.

Re: Need Help to Open Port

Kureli Sankar — Thu, 24 Dec 2009 04:11:49 GMT

Vishal,

I believe this answers Raj's question to some extent. Meaning I understand it is "THROUGH" the firewall and not "TO" the firewall. Still, I am not sure where the monitoring server is and where the windows servers are.

topology 1:

monitoring server-----(inside)---------ASA-----(dmz or outside)---- windows server

You do not need to configure anything special since you have the following configured already.

access-list inside1 extended permit ip any any

toplogy 2:

windows servers ----(inside) --------ASA------(dmz or outside)---monitoring server.

If it is the above, then we need to create static translation for all the inside servers.

You can do either nat exemption with acl or static identity or static pat for udp port 161

Permission you already have this configured ccess-list outside1 extended permit ip any any

You may want to tighten this ACL.

assuming the monitoring server is on the outside:

static (i,o) i.i.i.i i.i.i.i ----> this is identity static

static (i,o)o.o.o.o i.i.i.i -----> where o.o.o.o is the translated address and i.i.i.i is the internal address

nat (inside) 0 access-list nat0 - --> this is nat exemption with acl

access-list nat0 permit ip i.i.i.0/24 x.x.x.x

Now, knowing what whatsup gold does and how it needs to be configured I would place whatsup gold where all the servers are so, it can monitor them without having to go through the firewall. But, you know your network better than we do so, the above are your options.

-KS