This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi everyone,
i am supporting ASA in client office.I am new to ASA world.
Users mostly ask for to check if ASA is allowing specfic port or not.
I do not know how can i check that.
Is there any way that i can determine if ASA is blocking port or not?
If ASA is blocking port what steps i need to take to allow the ASA to allow the specif port?
regards
mahesh
Solved! Go to Solution.
Hi,
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
Thanks,
Sent from Cisco Technical Support iPad App
Mahesh,
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
thanks,
Tarik Admani
*Please rate helpful posts*
Hi Mahesh.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in
sh access-list | in
All i can say is you can learn ACL and its methods for better understanding.....
Please do rate if the given information helps.
By
Karthik
Hi,
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
Thanks,
Sent from Cisco Technical Support iPad App
Hi Tarik,
Thanks for reply.
I will test the packet tracer .
Does it will allow any overhead on ASA ?
Also what config i need to do on ASA to allow specfic port to allow traffic.?
Regards
mahesh
Thanks a lot Tarik it worked
Mahesh,
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
thanks,
Tarik Admani
*Please rate helpful posts*
Hi Mahesh.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in
sh access-list | in
All i can say is you can learn ACL and its methods for better understanding.....
Please do rate if the given information helps.
By
Karthik
Hi Tarik and Karthik,
Many thanks for great info.
regards
MAhesh