05-09-2018 08:14 AM - edited 02-21-2020 07:44 AM
Can i lock a cisco asa 5585 firewall access list down to use 'service ports' rather than destination ports. The reason i ask for is that we are trying to configure Sharepoint 2013 on our firewall rules for the DMZ. It uses tcp/135 and tcp/53 but it also uses a port range of tcp/49000 - 55000. The server team say they can lock the server down to tcp/50000-50500 and i have created a service port object. But Sharepoint is down becasue even though the source port shows up in the logs - the firewall only appears to use destination ports. Is that correct. Maybe the firewall will only ever work on the destination port?
thanks Kevin
Solved! Go to Solution.
05-09-2018 10:17 AM
Hi Kevin,
Yes you could define the source port in an ASA ACL, but generally people do not, as the source port is usually a random port (> 1024 and <= 65,535). The destination port of the server would usually always be the same. So in a firewall rule you would normally specify "any" source and only the defined destination ports.
If you upload your ACL and the error you receive, we can have a look and advise further.
HTH
05-09-2018 10:17 AM
Hi Kevin,
Yes you could define the source port in an ASA ACL, but generally people do not, as the source port is usually a random port (> 1024 and <= 65,535). The destination port of the server would usually always be the same. So in a firewall rule you would normally specify "any" source and only the defined destination ports.
If you upload your ACL and the error you receive, we can have a look and advise further.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide