Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4073
Views
0
Helpful
3
Replies

Allow whatsApp through CIsco ASA 5520

Debabrata Majhi
Level 1
Level 1

‎02-25-2015 09:32 AM - edited ‎03-11-2019 10:33 PM

Hi,

 

We have a Cisco ASA 5520 SSM 10 with IOS 8.2.4.Now we are wanting to allow whatsApp from our enterprise network.We have tried to allow whatsApp from trend micro proxy server but WhasApp not working through proxy server .

We have decided that we will allow the WhatsApp users ip with dynamic nat with Cisco ASA public IP.

Before finalize need some help from you.

1)what will be the security risk ?

2)Can we allow only WhatsApp trafic from ASA (WhatsApp works on 443 and 5222)?

3)Can we configure any url filter in Cisco ASA ?

Regards

Debabrata

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎02-28-2015 08:30 AM

Hi,

As per your implementation , you are looking at using the Dynamic NAT on the ASA device so the security risk is minimal.

2) I think this might be possible but you would like to make sure that there is no other port being used by the application.

3) As u ant to allow the traffic , i don't think you need to go with the URL filtering option and also that will not work as the traffic is SSL encrypted.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Debabrata Majhi
Level 1
Level 1
In response to Vibhor Amrodia

‎02-28-2015 09:32 AM

Hi,

Thanks for reply,

As we know that if we allow any user's IP with dynamic NAT ,user can access any thing from internet.

Actualy we want allow whatsApp but at the same time want make sure that user will be safe from the below mentioned threat

like  viruses, worms, Trojans, and other threats in  SMTP, POP3, HTTP, and FTP network traffic,Block URLs that we do not want employees to access, or URLs that are known to have hidden or malicious purposes.

Is ASA can do this ? if yes then how we will proceed ?

Is there any device or software from cisco security solution to fulfill our requirement ?

 

 

0 Helpful

SRusev
Level 1
Level 1

‎03-15-2020 06:47 AM

Dear Debabrata,

 

In order to allow WahtsApp to pass trough ASA firewall (inside -> outside) you need to:

  • udp/3478

example: access-list acl_inside line 1 extended permit udp object insidenet any eq 3478

  • tcp/5222-5228

example: access-list acl_inside line 2 extended permit tcp object insidenet any range 5222 5228

Also, I assume you have already allowed:

  • tcp/443
  • tcp/80 

Regards,

Stefan Rusev

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card