https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004312#M917970 <P>For a long time now I've been trying to get a handle on what is really required for MS hosts to talk to to other MS hosts but googled doco is scant. </P><P></P><P>The MS site does not seem to acknowledge the existence of UDP or TCP (surprised: Not me!) </P><P></P><P>Also in the predefined services of the ASA there is nothing for 135 (both tcp and UDP i believe) ... this is pretty weird as it is the MS end point mapper and therefore very common.</P><P></P><P>Any info or links to definitive stuff would be useful.</P><P></P><P>BTW: I am, of course not letting this MS chatter move over OUTSIDE interfaces .. we have many internal FW's and pvt links into customers where some of this dodgy MS stuff is required in order to support the customers.</P><P></P><P>Thanks in advance,</P><P>Mike</P> Mon, 11 Mar 2019 13:02:11 GMT m.surtees 2019-03-11T13:02:11Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004312#M917970 <P>For a long time now I've been trying to get a handle on what is really required for MS hosts to talk to to other MS hosts but googled doco is scant. </P><P></P><P>The MS site does not seem to acknowledge the existence of UDP or TCP (surprised: Not me!) </P><P></P><P>Also in the predefined services of the ASA there is nothing for 135 (both tcp and UDP i believe) ... this is pretty weird as it is the MS end point mapper and therefore very common.</P><P></P><P>Any info or links to definitive stuff would be useful.</P><P></P><P>BTW: I am, of course not letting this MS chatter move over OUTSIDE interfaces .. we have many internal FW's and pvt links into customers where some of this dodgy MS stuff is required in order to support the customers.</P><P></P><P>Thanks in advance,</P><P>Mike</P> Mon, 11 Mar 2019 13:02:11 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004312#M917970 m.surtees 2019-03-11T13:02:11Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004313#M917984 <HTML><HEAD></HEAD><BODY><P>Actually most organizations which are conscious about security don't even allow file sharing directly between hosts. A file-sharing server is setup for this (do a google search for Microsoft DFS). Users are given access to this (with personal folders for each). This makes access-control relatively easy. This also reduces the damage caused by worms and other malware</P><P></P><P>Regards</P><P></P><P>Farrukh </P></BODY></HTML> Fri, 20 Jun 2008 10:35:57 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004313#M917984 Farrukh Haroon 2008-06-20T10:35:57Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004314#M917993 <HTML><HEAD></HEAD><BODY><P>Thanks Farrukh,</P><P></P><P>I'm well aware of the dangers of the basic microsoft ports unfortunately there are a number of apps used by our organization that require some or all of NetBios gunk - the HP-OVO suite and Radia most specifically.</P><P></P><P>I'm just finding it really difficult, even with the help of everyone's friend Google, to determine whether these ports are UDP or TCP. Microsoft documentation seems to not realize there is a difference; and HP doco does not seem to provide any information at all. </P><P></P><P>Also I'm still looking for an index of of the predefined ports in the ASA OS. I can't understand why there would be several predefined netbios ports but 135 (seemingly UDP &amp; TCP) - the vital MS end-point mapper - is not defined. Nor the newer SMB tcp&amp;udp-445 port</P><P></P><P>So my query is not only about these 'common' (but ill-defined) MS ports, but what is in the list and why are there glaring omissions? </P><P></P><P>Regards,</P><P>Mike </P></BODY></HTML> Sun, 22 Jun 2008 23:47:46 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004314#M917993 m.surtees 2008-06-22T23:47:46Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004315#M917999 <HTML><HEAD></HEAD><BODY><P>Hi again,</P><P></P><P>Just had a look at DFS .. we already use it across our multiple sites but these are 'internal' and connected by pvt WAN. </P><P></P><P>Despite my last post and references to other apps using the annoying netbios stuff, there is still a need for file sharing across FW boundries - internal &amp; various levels of DMZ (most of these not accessible to the 'outside' but rather cordoned off areas of server groups).</P><P></P><P>But even using DFS there is a need for prts opened on a FW - possibly both directions for DFS. Do you know what these are?</P><P></P><P>Mike </P></BODY></HTML> Mon, 23 Jun 2008 00:09:32 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004315#M917999 m.surtees 2008-06-23T00:09:32Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004316#M918007 <HTML><HEAD></HEAD><BODY><P>Please check the ports listed under DFS on this link:</P><P></P><P><A class="jive-link-custom" href="http://support.microsoft.com/kb/832017" target="_blank">http://support.microsoft.com/kb/832017</A>#</P><P></P><P>Distributed File System</P><P>The Distributed File System (DFS) integrates disparate file shares that are located across a local area network (LAN) or wide area network (WAN) into a single logical namespace. The DFS service is required for Active Directory domain controllers to advertise the SYSVOL shared folder.</P><P></P><P>System service name: Dfs</P><P>Application protocol Protocol Ports</P><P>NetBIOS Datagram Service UDP 138</P><P>NetBIOS Session Service TCP 139</P><P>LDAP Server TCP 389</P><P>LDAP Server UDP 389</P><P>SMB TCP 445 ****</P><P>RPC TCP 135 ****</P><P>Randomly allocated high TCP ports TCP random port number between 1024 - 65535*</P><P>* For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Mon, 23 Jun 2008 05:16:34 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004316#M918007 Farrukh Haroon 2008-06-23T05:16:34Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004317#M918012 <HTML><HEAD></HEAD><BODY><P>Thanks Farrukh, useful link. </P><P></P><P>See my attachment if you want a handy excel speadsheet of same (but without the useful tips your link provides)</P><P></P><P>Still got all the MS gunk though; looks like we'll never escape it. </P><P></P><P>And still no reason why Cisco have not predefined TCP-135, the most used MS port (they have Sun's version). Oh well, chalk it down as an oversight.</P><P></P><P>Also no listing/index of ASA predefined ports that I can find. I'll just have to hold my mouse cursor over each item and wait for the pop-up. Or hope they call the port the same thing as everyone else.</P><P></P><P>Regards,</P><P>Mike </P><P></P><P> </P><P></P><P> </P><P></P></BODY></HTML> Mon, 23 Jun 2008 07:16:52 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004317#M918012 m.surtees 2008-06-23T07:16:52Z https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004318#M918014 <HTML><HEAD></HEAD><BODY><P>Yup we used this document to make security policies for our customers.</P><P></P><P>Don't focus too much on the pre-defined ports of the ASA/PIX, it seems this is an issue they don't focus much on.</P><P></P><P>Please rate helpful posts. Regards</P><P></P><P>Farrukh</P></BODY></HTML> Mon, 23 Jun 2008 07:55:52 GMT https://community.cisco.com/t5/network-security/asa-predefined-services-and-ms-ports/m-p/1004318#M918014 Farrukh Haroon 2008-06-23T07:55:52Z