Solved: Re: Adding new service to ASA (ASDM 6.4)

davidmoreno69 · ‎10-01-2013

Hello Guys,

Could you please explain to me the source and destination ports options shown in the add new service box?

I searched in the Cisco Site, but there is no good explanation about how that works:

"

- Destination Port/Range

- Source Port/Range—Lists the protocol source ports/ranges

"

What I need to do is to add a new service (TCP 1433).

Thanks in advance!

Jouni Forss · ‎10-01-2013

Hi,

It would seem to me that you are about to create an "object service".

Creating an Service Object in itself wont change any operation on the firewall. The Service Object is typically used either in ACL/access-list rules to allow traffic or the Service Object is used as a part of a NAT configuration.

I assume that you are perhaps going to use this Service Object in some ACL to allow traffic?

In that case you would typically only specify the port TCP/1433 in the destination port/range section and leave the source port/range section blank. This is because we usually cant possibly know what the source port for some connection is so there is no point limiting the connection based on its source port.

So when you are creating ACL rules you are usually allowing connections to some destionation IP address and destination port. This means that you will naturally only use the destination port/range in those situation.

The only common situation where you might want to define the source port/range is when you are using the created Service Object as a part of some NAT configuration but that is a bit hard to explain without going into detail.

- Jouni

View solution in original post

Jouni Forss · ‎10-01-2013

Hi,

I am afraid that there isnt quite enough information.

Are you trying to configure some NAT and ACL rule that would allow TCP/1433 connections from the external network to some internal server?

Or is there perhaps an existing NAT already and you just want to allow TCP/1433 traffic in some interface ACL?

I personally dont use ASDM to configure the ASA so I would rather look at the situation through the Command Line Interface (CLI).

- Jouni

davidmoreno69 · ‎10-01-2013

Hello JouniForss,

Unfortunately I do not have SSH access to this FW.

In what scenarios do you use either option?

Thanks!

Jouni Forss · ‎10-01-2013

Hi,

It would seem to me that you are about to create an "object service".

Creating an Service Object in itself wont change any operation on the firewall. The Service Object is typically used either in ACL/access-list rules to allow traffic or the Service Object is used as a part of a NAT configuration.

I assume that you are perhaps going to use this Service Object in some ACL to allow traffic?

In that case you would typically only specify the port TCP/1433 in the destination port/range section and leave the source port/range section blank. This is because we usually cant possibly know what the source port for some connection is so there is no point limiting the connection based on its source port.

So when you are creating ACL rules you are usually allowing connections to some destionation IP address and destination port. This means that you will naturally only use the destination port/range in those situation.

The only common situation where you might want to define the source port/range is when you are using the created Service Object as a part of some NAT configuration but that is a bit hard to explain without going into detail.

- Jouni

davidmoreno69 · ‎10-01-2013

Thanks Jouni,

In my short experience in security, I have only created rules that care about the destination port. So far I have not been involved in any situation where source port is restricted.

If you have an scenario in mind, where source port needs to be restricted please share it, so at least I will have an idea on when the source port option is required.

Thanks again!

Jouni Forss · ‎10-01-2013

Hi,

Well there was a discussion here on the forums some time ago where a user wanted to create a special NAT rule.

In that situation the user had only 1 public IP address available that was naturally used for all LAN users when connecting to the Internet. But a remote site still wanted to limit the connections based on some information. The idea was to use the source port. Dynamic PAT naturally poses the problem that users will be always visible from the same public IP address and the source port is random even after the Dynamic PAT translation.

The user wanted to do Dynamic PAT and want the translated port to be from some certain range. We managed to build this special Dynamic PAT configuration and this made it possible for the remote site to allow connections only from this certain public IP address when the source port was from a certain range.

The above is a pretty extreme/special situation which I would imagine not many people would use or would even have to implement. But naturally in that specific case if you were the admin of the remote site firewall you could have created a Service Object with both the known source port range and the destionation port where they need to connect.

Hope this helps and made any sense

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni