ASA 5515 outside interface default open port.

palphadmin1 · ‎12-03-2014

hi,

we are using 'asa 5515' appliances at two locations in our infrastructure, given below are the software and asdm versions of the asa's

first asa:

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)

second asa:

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

When we perform nmap scan(command used: 'nmap -sS -Pn <externaml ip>') on the external(outside) interface we are seeing tcp port 1720 open. I belive this is used for the control channel of h323 protocol. Except for the default traffic inspection service policy rules there is no other config related to h323 on the firewall so we are confused as to why this port is open on the external interface by default. I didnot find any information about this(port 1720 being open by default) or how to disable this port in asa documentation or online forums. Is this a software bug ? does anyone here know about this and how to fix it ?

thanks,

sai.

Murali · ‎12-03-2014

Hi Sai,

If you are sure you don't have any other configuration apart from the default related to 1720 can you try telnet to that port from what ever interface it is showing open , chances are nmap may not be working properly.

HTH

Thanks

Murali

palphadmin1 · ‎12-03-2014

hi murali,

i did try telnet and it works without issues, sorry forgot to mention that earlier.

thanks,

sai.

Murali · ‎12-03-2014

Okay that's interesting ! can u post a packet-tracer output and the relevant config if possible as you know its difficult to check with limited information.

Thank you

Murali

palphadmin1 · ‎12-03-2014

# packet-tracer input outside1 tcp 70.215.83.16 15000 50.200.2xx.xxx 1720

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 50.200.2xx.xxx 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside1
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

packet trace is saying the flow is denied but below is the telnet output

# telnet 50.200.2xx.xx 1720

Trying 50.200.2xx.xx...

Connected to 50.200.2xx.xxx.

Escape character is '^]'.

only settings related to h323 in running config are

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect h323 h225
inspect h323 ras
!
service-policy global_policy global