12-02-2012 08:25 PM - edited 03-10-2019 07:51 PM
My question is in reference to the following link:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.
12-04-2012 01:18 AM
I am having the same questions. So far I have opend SNMP from ISE to NAD and then all the probe trafic (DNS, DHCP...) from NAD to ISE. And I seem to be able to profile devices correctly.
12-05-2012 05:41 PM
Try this for size.
In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
You might be able to cut this list down, and you might have to add to it for any specific requirements.
From PSN to AD (potentially all AD nodes):
TCP 389, 3268, 445, 88, 464
UDP 389, 3268
From PSN to Monitoring nodes:
TCP 443
UDP 20514
PSN to Admin Nodes (2Way):
TCP 443, 1521
ICMP echo and reply (heartbeat)
WLC to PSN:
TCP 443, 8443, 80, 8080
UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
PSN to other PSN’s (2 way)
UDP 30514, 45588, 45990
Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
TCP 8443, 8905
UDP 8905
Admin/Sponsor to all ISE nodes:
TCP 22, 80, 443, 8080, 8443
UDP 161
PSN access to DNS servers:
TCP/UDP 53
PSN access to NTP servers:
UDP 123
12-05-2012 10:18 PM
You could also issue a show ports | inc ip
PSN to Admin Nodes (2Way):
TCP 443, 1521, 8443
ICMP echo and reply (heartbeat)
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide