ASA5506 - how to close TCP port 5060

train_wreck · ‎12-24-2018

Hello. With the "stock" settings on an ASA5506 (firmware 9.8.2), I have noticed that there is an open TCP port 5060 on the WAN interface when I scan it using NMAP or any other network scanner. I see that this is usually used for the SIP protocol.

I am not using SIP on this ASA. How do I disable this port? I tried setting an access-list inbound on the WAN interface to "deny tcp any any eq 5060", but this does not work. The port is still open.

balaji.bandi · ‎12-24-2018

post the configuration to have look.

on other hand you have mentioned outboud ACL, is sip intiation from internal working is this correct ?

then you required ACL inside also.

after apply ACL try clear conn and if NAT in place try clear xlate. (bare in mind this clear all the connection, if you know the target IP you can clear only that).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

train_wreck · ‎12-25-2018

@balaji.bandi wrote:
post the configuration to have look.

on other hand you have mentioned outboud ACL, is sip intiation from internal working is this correct ?
then you required ACL inside also.

after apply ACL try clear conn and if NAT in place try clear xlate. (bare in mind this clear all the connection, if you know the target IP you can clear only that).

???

I do not understand how I was unclear. I did NOT mention outbound ACL at all, and specifically mentioned INBOUND ACL on the WAN interface, using the stock configuration. This means an IP address setting of DHCP and security level of 0 on interface g1/1 (named "outside"), an IP address of 192.168.1.1/24 and security level of 100 on interface g1/2 (and named "inside_1"). I also specifically said I do not require SIP features whatsoever, so your question of whether SIP initiation is working is irrelevant and confusing. I have no SIP hardware or software on this network, and thus do not have a way to test this, nor do I want to.

If you really require the whole config posted I can do that, but like I said this problem is occurring with the stock, out-of-the-box configuration on the ASA. I have made zero changes to it, apart from the INBOUND ACL applied to the g1/1 interface in an attempt to block the SIP port.

After I applied the ACL, I did a "write mem" and rebooted the device. The problem remains.

Marvin Rhoads · ‎12-26-2018

I have seen this with scanners and suspect it is a false positive. Here's one possible reason why:

https://security.stackexchange.com/questions/182422/connection-to-ports-2000-and-5060-successful-despite-filtering

I'd check the ASA itself for listening ports with "show asp table sockets".

FYI any ASA ACL applied to an interface affects traffic though the device, not traffic to the device (i.e. to the interface address). There is a special control plane ACL type for traffic to the device itself.

train_wreck · ‎01-02-2019

@Marvin Rhoads wrote:
I have seen this with scanners and suspect it is a false positive. Here's one possible reason why:

https://security.stackexchange.com/questions/182422/connection-to-ports-2000-and-5060-successful-despite-filtering

I'd check the ASA itself for listening ports with "show asp table sockets".

Shows nothing related to SIP, only TCP 22 & 443 on the inside interface addresses as expected.

@Marvin Rhoads wrote:
FYI any ASA ACL applied to an interface affects traffic though the device, not traffic to the device (i.e. to the interface address). There is a special control plane ACL type for traffic to the device itself.

Good to know, thanks for the information.