We got one application who's ports are unknown to be opened from inside and outside of ASA, For test purpose we allow permit ip any any and it works. How do I identify the ports.
Access-list is applied on inside and outside interface of ASA ASA 5520 Version 8.2
By default in an ASA, if no access-list is applied on the inside interface then all traffic going from inside (higher sec level) to outside(lower sec level) would be allowed.
What kind of application are you running ? If its a TCP based application then you do not need to apply any access-list on the outside interface too. this is because, ASA will maintain a state of TCP based applications.
Anyways, If you would like to find out the port numbers that the application is using, you can apply captures on the inside interface. This would capture details about the packet
Following is the method of applying captures :
access-list capi permit ip host host
access-list capi permit ip host host
capture capin access-l capi interface inside
Now, when you do a sh capture capin detail, you would be able to see the the source and destination ports.
One more thing to point here is if the traffic is getting initiated from the outside, We should necessarily apply an access-l on the outside interface to permit the required traffic!!
Thanks,
Manasi!!
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
