Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
4
Replies

ASA find out allowed ports

Kashish_Patel
Level 2
Level 2

‎10-26-2012 01:06 AM - edited ‎03-11-2019 05:14 PM

Hi Security Experts,

Is there a way we can find out on what all ports is the Cisco ASA allowing/dropping connections between two hosts (each host on a different interface on firewall). I am interested in finding out what all requests come from one host (destined towards the other) and on what ports? What ASA allowed and what it dropped? Is there some easy way to do this? I think we can do it using ACL, but I dont want to go on that path.

Please let me know if there is some better way to do this.

Thanks,

Kashish

Labels:
0 Helpful
4 Replies 4

Hemakumar Sampath
Level 1
Level 1

‎10-26-2012 01:09 AM

You can use packet tracer command to find out the ports which are enabled/disabled

0 Helpful

Kashish_Patel
Level 2
Level 2
In response to Hemakumar Sampath

‎10-26-2012 01:12 AM

That is not very scalable and I don't want to run packet tracer for all bunch of ports.

Is there any other better way?

0 Helpful

gouravbathla
Level 1
Level 1
In response to Kashish_Patel

‎10-26-2012 03:42 AM

Capture through ASA is the only method for which you go for so as to meet your detailed and specific requirement.

Syntax would be

access-list capture1 extended permit ip source destination

access-list capture2 extended permit ip destination source

capture capi1 access-list capture1 interface (Interface in which traffic entering)

capture capi2 access-list capture2 interface (Interface from which traffic leaving)

Please rate this if you find it helpful !!

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Kashish_Patel

‎10-26-2012 11:34 AM

Why dont you use a scanning tool? like Nmap as an example from the client ip address you want to test to the destination address.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card