Solved: Cisco Access list using source ports rather than destination ports

ohareka70 · ‎05-09-2018

Can i lock a cisco asa 5585 firewall access list down to use 'service ports' rather than destination ports. The reason i ask for is that we are trying to configure Sharepoint 2013 on our firewall rules for the DMZ. It uses tcp/135 and tcp/53 but it also uses a port range of tcp/49000 - 55000. The server team say they can lock the server down to tcp/50000-50500 and i have created a service port object. But Sharepoint is down becasue even though the source port shows up in the logs - the firewall only appears to use destination ports. Is that correct. Maybe the firewall will only ever work on the destination port?

thanks Kevin

Rob Ingram · ‎05-09-2018

Hi Kevin,

Yes you could define the source port in an ASA ACL, but generally people do not, as the source port is usually a random port (> 1024 and <= 65,535). The destination port of the server would usually always be the same. So in a firewall rule you would normally specify "any" source and only the defined destination ports.

If you upload your ACL and the error you receive, we can have a look and advise further.

HTH

View solution in original post

Rob Ingram · ‎05-09-2018

Hi Kevin,

Yes you could define the source port in an ASA ACL, but generally people do not, as the source port is usually a random port (> 1024 and <= 65,535). The destination port of the server would usually always be the same. So in a firewall rule you would normally specify "any" source and only the defined destination ports.

If you upload your ACL and the error you receive, we can have a look and advise further.

HTH