Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1643
Views
0
Helpful
2
Replies

ASA 5505 Port Blocking Question

CCNCISCOSVC
Level 1
Level 1

‎06-25-2012 02:52 PM - edited ‎03-11-2019 04:22 PM

I have an ASA 5505 running 8.4.

I am only letting ICMP traffic in from the outside.

As a test, I opened a couple of ports I need on the ASA.

I cannot access these ports and I do not get a denied error in the log.

I contacted the ISP and they are not blocking these ports.

I ran an online port scanner to check ports 1-100 as a test.  They all came up as blocked on the port scanner.  The only deny error I got on the ASA was for port 80.

Is this normal behavior?  If so, how do I get it to show all of the deny errors so I know the traffic is at least hitting the firewall?

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-25-2012 08:26 PM

Can you please share your config?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎06-27-2012 02:31 AM

Hi,

Well one very common thing for my personally when starting with the ASA software 8.3 forward was that I was still using the NAT IP address in the access-list configurations instead of the local IP.

Though if this was the problem in your case you should see Deny log messages.

The easiest way to confirm if the connections are coming to the ASA is to open the graphical GUI = ASDM and check the real time monitor there (using filter if needed). ASDM logging level needs to be atleast "Informational" for the connection building and teardown to show.

The deny messages in the log should show atleast with the "Notifications" logging level. But they naturally also show with the above mentioned "Informational" too.

Though as Jennifer said, seeing your configuration would be the easiest way for us to determine what the problem is.

Heres a simple example (with made up IP addresses) of a situation where you have a Static NAT for a LAN device and you want to open http from the Internet

object network STATIC-WEBSERVER

description Web -server

host 10.10.10.10

nat (inside,outside) static 1.1.1.1 dns

access-list OUTSIDE-IN remark Open port TCP/80 for Web -server

access-list OUTSIDE-IN permit tcp any object STATIC-WEBSERVER eq www

OR


access-list OUTSIDE-IN remark Open port TCP/80 for Web -server

access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq www


access-group OUTSIDE-IN in interface outside

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card