05-08-2006 07:57 AM - edited 03-10-2019 02:34 PM
Hi, We have an ACS 4.0 behind a Firewall..
I want to know what are the ports that need to be opened up other than 2002 for remote login purpose..?
Any idea..?
Solved! Go to Solution.
05-08-2006 05:40 PM
Hi,
ACS is accessible via tcp 2002, for initial connection. For subsequent access (moving from page to page), it will randomly used ports 2003 or higher (tcp).
To access this box remotely, you need to open a range of ports, e.g 2002 -> 3500, or 2002 -> 5000. Pls be careful when specifying the range, as too many ports allowed ports MIGHT pose a risk to your ACS server.
example:
access-list outside permit tcp
Hope this help.
Rgds,
AK
05-08-2006 05:40 PM
Hi,
ACS is accessible via tcp 2002, for initial connection. For subsequent access (moving from page to page), it will randomly used ports 2003 or higher (tcp).
To access this box remotely, you need to open a range of ports, e.g 2002 -> 3500, or 2002 -> 5000. Pls be careful when specifying the range, as too many ports allowed ports MIGHT pose a risk to your ACS server.
example:
access-list outside permit tcp
Hope this help.
Rgds,
AK
05-08-2006 10:26 PM
Thank you, yes i can see it uses really wide range, which can be a threat to the server..
So, I was interested in knowing the exact range... Is this documented somewhere..?
05-08-2006 11:39 PM
Hi,
I think the port range is dynamically opened based on how many times you accessed (move around the menus) the server, and how many admin user accessing it.
As for the doc, I have not come across any yet.
Rgds,
AK
05-09-2006 12:08 AM
Well, i think it is not just 2002 to 5000...
Now i have session opened with 1824.. Guess it is random, so we are thinking of opening 1000 to 5000, let us see how it goes..
05-09-2006 12:31 AM
Ok, but to be safe, make sure you set/limit max connection to your ACS via the static command and limit external access to only addresses know to you (if applicable):
Example:
a. Static map
static (inside,outside)
static (inside,outside) 10.10.10.10 192.168.1.10 10 20
10 = max connection
20 = embryonic session @ half open session
*set according to how many admin user need to establish connection to ACS
b. ACL limiting access to ACS:
access-list outside permit tcp
access-list outside permit tcp 172.x.x.0 255.255.255.0 host 10.10.10.10 range 2002 5000
Good luck.
Rgds,
AK
05-15-2006 02:39 PM
What about a VPN? Then you could avoid opening any ports, etc...
05-09-2006 02:24 AM
Hi
If you look at the "Access Policy" page under "Admin Control" you'll notice you can change the default port range from 2004..20050 to whatever values you choose.
..but dont go below 2004 as ACS will stop working!
Darran
05-10-2006 04:26 AM
Hi Darran, That was a good tip.. That fixed my problem..
Now i have same issue with LMS... Is there a way to fix this in LMS as well? :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide