Solved: Re: ACS 4.0 behind a Firewall

vramanaiah · ‎05-08-2006

Hi, We have an ACS 4.0 behind a Firewall..

I want to know what are the ports that need to be opened up other than 2002 for remote login purpose..?

Any idea..?

a.kiprawih · ‎05-08-2006

Hi,

ACS is accessible via tcp 2002, for initial connection. For subsequent access (moving from page to page), it will randomly used ports 2003 or higher (tcp).

To access this box remotely, you need to open a range of ports, e.g 2002 -> 3500, or 2002 -> 5000. Pls be careful when specifying the range, as too many ports allowed ports MIGHT pose a risk to your ACS server.

example:

access-list outside permit tcp host range 2002 5000

Hope this help.

Rgds,

AK

View solution in original post

a.kiprawih · ‎05-08-2006

Hi,

ACS is accessible via tcp 2002, for initial connection. For subsequent access (moving from page to page), it will randomly used ports 2003 or higher (tcp).

To access this box remotely, you need to open a range of ports, e.g 2002 -> 3500, or 2002 -> 5000. Pls be careful when specifying the range, as too many ports allowed ports MIGHT pose a risk to your ACS server.

example:

access-list outside permit tcp host range 2002 5000

Hope this help.

Rgds,

AK

vramanaiah · ‎05-08-2006

Thank you, yes i can see it uses really wide range, which can be a threat to the server..

So, I was interested in knowing the exact range... Is this documented somewhere..?

a.kiprawih · ‎05-08-2006

Hi,

I think the port range is dynamically opened based on how many times you accessed (move around the menus) the server, and how many admin user accessing it.

As for the doc, I have not come across any yet.

Rgds,

AK

vramanaiah · ‎05-09-2006

Well, i think it is not just 2002 to 5000...

Now i have session opened with 1824.. Guess it is random, so we are thinking of opening 1000 to 5000, let us see how it goes..

a.kiprawih · ‎05-09-2006

Ok, but to be safe, make sure you set/limit max connection to your ACS via the static command and limit external access to only addresses know to you (if applicable):

Example:

a. Static map

static (inside,outside)

static (inside,outside) 10.10.10.10 192.168.1.10 10 20

10 = max connection

20 = embryonic session @ half open session

*set according to how many admin user need to establish connection to ACS

b. ACL limiting access to ACS:

access-list outside permit tcp host range 2002 5000

access-list outside permit tcp 172.x.x.0 255.255.255.0 host 10.10.10.10 range 2002 5000

Good luck.

Rgds,

AK

akota · ‎05-15-2006

What about a VPN? Then you could avoid opening any ports, etc...

darpotter · ‎05-09-2006

Hi

If you look at the "Access Policy" page under "Admin Control" you'll notice you can change the default port range from 2004..20050 to whatever values you choose.

..but dont go below 2004 as ACS will stop working!

Darran

vramanaiah · ‎05-10-2006

Hi Darran, That was a good tip.. That fixed my problem..

Now i have same issue with LMS... Is there a way to fix this in LMS as well? :-)