Solved: Re: Cisco ASA ACL built-in port name to number mapping?

michael.whittle · ‎07-19-2011

Hi,

I've developed a Perl REST API to process large Cisco ASA ACL's and find out of there is an existing rule to permit traffic. You may say why not use packet tracer or the ASDM but packet tracer doesn't work on transit interfaces as it can't classify the traffic and ASDM isn't an option as this script I'm writing needs to execute commands from the command line.

Well known ports are automatically translated into a name. So TCP 443 will show as "https" for example. My API takes in the protocol port as a number as an input. I'm trying to find a way to convert the number into the name you will see in an ACL without manually mapping them out based on the ones I already know. Does anyone know if there is a show command to show the port name number mappings or maybe an URL with a comprehensive list of the built in mappings? I've been trawling the web looking for this and I haven't had much luck finding it.

Thanks in advance.

Regards,

Mike

varrao · ‎07-20-2011

I was already verifying it, when you posted, here is the list:

aol 5120

bgp 179

chargen 19

cifs 3020

citrix-ica 1494

cmd 514

ctiqbe 2748

daytime 13

discard 9

domain 53

echo 7

exec 512

finger 79

ftp 21

ftp-data 20

gopher 70

h323 1720

hostname 101

http 80

https 443

ident 113

imap4 143

irc 194

kerberos 88

klogin 543

kshell 544

ldap 389

ldaps 636

login 513

lotusnotes 1352

lpd 515

netbios-ssn 139

nfs 2049

nntp 119

pcanywhere-data 5631

pim-auto-rp 496

pop2 109

pop3 110

pptp 1723

rsh 514

rtsp 554

sip 5060

smtp 25

sqlnet 1522

ssh 22

sunrpc 111

tacacs 49

talk 517

telnet 23

uucp 540

whois 43

www 80

I hope this helps you in your script, but make sure, these are the port number to name mapping only as per ASA. Do let me know if your query is answered.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-19-2011

HI Micheal,

You can use this site for name to port number mapping for your script:

http://www.iana.org/assignments/port-numbers

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

michael.whittle · ‎07-19-2011

Hi Varun,

Thanks for the reply. I'm very familiar with the IANA site. It doesn't look like Cisco have used that though. I have checked already. Take TCP 1522 for example... if I'm not mistaken that's "sqlnet" on an ASA. This is what IANA says:

ricardo-lm      1522/tcp    Ricardo North America License Manager
ricardo-lm      1522/udp    Ricardo North America License Manager

ricardo-lm???

Regards,

Mike

varrao · ‎07-19-2011

I am not really sure if there is any documentation that would tell us to what names would the port numbers be converted to, does it just give you the option for port number or provide you the names as well, when you do a '?' after the eq command. I do not have access to me firewall as of now, so wouldnt b able to test.

-Varun

Thanks,
Varun Rao

varrao · ‎07-19-2011

Hi Mike,

Today morning I had the access to my firewall and these port numbers would be changed to names on ASA.

aol

bgp

chargen

cifs

citrix-ica

cmd

ctiqbe

daytime

discard

domain

echo

exec

finger

ftp

ftp-data

gopher

h323

hostname

http

https

ident

imap4

irc

kerberos

klogin

kshell

ldap

ldaps

login

lotusnotes

lpd

netbios-ssn

nfs

nntp

pcanywhere-data

pim-auto-rp

pop2

pop3

pptp

rsh

rtsp

sip

smtp

sqlnet

ssh

sunrpc

tacacs

talk

telnet

uucp

whois

www

I hope this was the info you were looking for.

Thanks,

Varun

Thanks,
Varun Rao

michael.whittle · ‎07-20-2011

Thanks again Varun but I've looked at this as well. It shows the name but not what the port is to display that name. There are some obvious ones there but others seem a little obscure and I don't won't to have to go and look each one up.

varrao · ‎07-20-2011

I was already verifying it, when you posted, here is the list:

aol 5120

bgp 179

chargen 19

cifs 3020

citrix-ica 1494

cmd 514

ctiqbe 2748

daytime 13

discard 9

domain 53

echo 7

exec 512

finger 79

ftp 21

ftp-data 20

gopher 70

h323 1720

hostname 101

http 80

https 443

ident 113

imap4 143

irc 194

kerberos 88

klogin 543

kshell 544

ldap 389

ldaps 636

login 513

lotusnotes 1352

lpd 515

netbios-ssn 139

nfs 2049

nntp 119

pcanywhere-data 5631

pim-auto-rp 496

pop2 109

pop3 110

pptp 1723

rsh 514

rtsp 554

sip 5060

smtp 25

sqlnet 1522

ssh 22

sunrpc 111

tacacs 49

talk 517

telnet 23

uucp 540

whois 43

www 80

I hope this helps you in your script, but make sure, these are the port number to name mapping only as per ASA. Do let me know if your query is answered.

Thanks,

Varun

Thanks,
Varun Rao

michael.whittle · ‎07-20-2011

Thanks a lot.

patoberli · ‎02-06-2012

Hi, is there a way to disable this automatic translation from number to name?

inge_arnesen · ‎07-23-2015

The mapping for sqlnet seems to be incorrect. It is 1521, not 1522:

ciscoasa(config)# access-list test extended permit tcp any any eq 1521
ciscoasa(config)# access-list test extended permit tcp any any eq 1522
ciscoasa(config)# show run access-list test
access-list test extended permit tcp any any eq sqlnet
access-list test extended permit tcp any any eq 1522

Anton K. · ‎10-29-2016

Found this documentation on protocols and ports - http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ref-ports.html#ID-2120-000002b8.

HTH.

Adam H · ‎08-10-2021

Repo with JSON file documentation:

https://github.com/wardler-ah/cisco_acl_port_strings/blob/main/port_mapping.json