Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1208
Views
0
Helpful
1
Replies

Opening ports on ASA 5520

Sean McCoy
Level 1
Level 1

‎01-20-2014 07:28 AM - edited ‎03-11-2019 08:32 PM

I need to open ports 4480 and 4481 in preparation for PARCC testing in our district. How would I create this rule to allow traffic to/from any IP address on the inside interface?

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎01-20-2014 08:06 AM

Hi,

First thing we would need to know is if the connections for ports 4480 and 4481 are TCP or UDP or both? We would also need to know which host/server opens/forms these connections? Are the connections opened from your LAN or from the WAN?

When the ASA allows a connection it will naturally allow any return traffic for this connection. This means when you have allowed the original opening direction of this connection then the return traffic back to the original connecting host will be allowed by the firewall.

If your LAN host opens the connection then I would imagine that this traffic is already allowed since in most environments most traffic outbound is usually allowed.

If these connections are formed from the WAN then first you would naturally need a NAT configuration for the host to which they are connecting to. Each host that is connected from the external network need their own NAT configuration or this connectivity is not possible.

On the ASA there is a command called "packet-tracer" that will let you test different type of packets entering the ASA on a certain interface. This will tell you if it will be allowed or blocked by something.

If you for example have an interface called "inside" and there you have an host with IP address 10.10.10.10 that is trying to form a connection to an external host with the IP address 1.1.1.1 with the destination port TCP/4480 then you could test that with the command

packet-tracer input inside tcp 10.10.10.10 12345 1.1.1.1 4480

But as I said above, we need some clarifications on the actual situation and requirements to determine what is needed for the connections to work.

We might have to take a look at the current configurations also.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card