cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

44490
Views
5
Helpful
6
Replies
mahesh18
Frequent Contributor

how to determine if ASA is blocking port or not?

Hi everyone,

i am supporting ASA  in client office.I am new to ASA  world.

Users mostly ask for to check if ASA is allowing specfic port or not.

I do not know how can i check that.

Is there any way that i can determine if ASA  is blocking port or not?

If ASA is blocking port what steps i need to take to allow the ASA  to allow the specif port?

regards

mahesh

3 ACCEPTED SOLUTIONS

Accepted Solutions
Tarik Admani
Advocate

Hi,

You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:

packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).

Thanks,

Sent from Cisco Technical Support iPad App

View solution in original post

Mahesh,

There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.

With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Hi Mahesh.

You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....

access-list outgoing extended permit tcp any (destination) eq www

access-list outgoing extended deny ip any any log

!

access-group outgoing in interface inside

!

So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....

Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....

Also you can check by sh logg | in which will show active logs of the specific source/destination..... packet tracer is extended output with complete details....

sh access-list | in if you hv the rule  in place and you want to see the hits.... hit count will increase if it has the hits......

All i can say is you can learn ACL and its methods for better understanding.....

Please do rate if the given information helps.

By

Karthik

View solution in original post

6 REPLIES 6
Tarik Admani
Advocate

Hi,

You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:

packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).

Thanks,

Sent from Cisco Technical Support iPad App

View solution in original post

mahesh18
Frequent Contributor

Hi Tarik,

Thanks for reply.

I will test the packet tracer .

Does it will allow any overhead on ASA ?

Also what config i need to do on ASA to allow specfic port to allow traffic.?

Regards

mahesh

mahesh18
Frequent Contributor

Thanks a lot Tarik it worked

Mahesh,

There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.

With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Hi Mahesh.

You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....

access-list outgoing extended permit tcp any (destination) eq www

access-list outgoing extended deny ip any any log

!

access-group outgoing in interface inside

!

So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....

Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....

Also you can check by sh logg | in which will show active logs of the specific source/destination..... packet tracer is extended output with complete details....

sh access-list | in if you hv the rule  in place and you want to see the hits.... hit count will increase if it has the hits......

All i can say is you can learn ACL and its methods for better understanding.....

Please do rate if the given information helps.

By

Karthik

View solution in original post

mahesh18
Frequent Contributor

Hi Tarik and Karthik,

Many thanks for great info.

regards

MAhesh

Content for Community-Ad