12-24-2010 03:28 AM - edited 03-11-2019 12:27 PM
Hi Experts
We got one application who's ports are unknown to be opened from inside and outside of ASA, For test purpose we allow permit ip any any and it works. How do I identify the ports.
Access-list is applied on inside and outside interface of ASA
ASA 5520
Version 8.2
Hope to get help
Thanks
ST
12-24-2010 06:38 AM
Hi ST,
By default in an ASA, if no access-list is applied on the inside interface then all traffic going from inside (higher sec level) to outside(lower sec level) would be allowed.
What kind of application are you running ? If its a TCP based application then you do not need to apply any access-list on the outside interface too. this is because, ASA will maintain a state of TCP based applications.
Anyways, If you would like to find out the port numbers that the application is using, you can apply captures on the inside interface. This would capture details about the packet
Following is the method of applying captures :
access-list capi permit ip host
access-list capi permit ip host
capture capin access-l capi interface inside
Now, when you do a sh capture capin detail, you would be able to see the the source and destination ports.
Hope I could answer your question!!
Cheers,
Manasi
12-24-2010 06:42 AM
Hi ST,
One more thing to point here is if the traffic is getting initiated from the outside, We should necessarily apply an access-l on the outside interface to permit the required traffic!!
Thanks,
Manasi!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide