10-15-2012 09:08 PM - edited 03-10-2019 07:40 PM
Hi everyone,
i am supporting ASA in client office.I am new to ASA world.
Users mostly ask for to check if ASA is allowing specfic port or not.
I do not know how can i check that.
Is there any way that i can determine if ASA is blocking port or not?
If ASA is blocking port what steps i need to take to allow the ASA to allow the specif port?
regards
mahesh
Solved! Go to Solution.
10-15-2012 09:15 PM
Hi,
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
Thanks,
Sent from Cisco Technical Support iPad App
10-21-2012 07:38 PM
Mahesh,
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
thanks,
Tarik Admani
*Please rate helpful posts*
10-21-2012 08:53 PM
Hi Mahesh.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in
sh access-list | in
All i can say is you can learn ACL and its methods for better understanding.....
Please do rate if the given information helps.
By
Karthik
10-15-2012 09:15 PM
Hi,
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
Thanks,
Sent from Cisco Technical Support iPad App
10-15-2012 09:27 PM
Hi Tarik,
Thanks for reply.
I will test the packet tracer .
Does it will allow any overhead on ASA ?
Also what config i need to do on ASA to allow specfic port to allow traffic.?
Regards
mahesh
10-20-2012 10:53 AM
Thanks a lot Tarik it worked
10-21-2012 07:38 PM
Mahesh,
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
thanks,
Tarik Admani
*Please rate helpful posts*
10-21-2012 08:53 PM
Hi Mahesh.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in
sh access-list | in
All i can say is you can learn ACL and its methods for better understanding.....
Please do rate if the given information helps.
By
Karthik
10-22-2012 08:13 PM
Hi Tarik and Karthik,
Many thanks for great info.
regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide