Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3134
Views
5
Helpful
4
Replies

Closing Unused ports on my ASA

Go to solution
tech_king
Level 1
Level 1

‎07-19-2017 10:18 AM - edited ‎03-12-2019 02:42 AM

I just ran a portscan on my asa firewall and noticed that the ports listed below are open on my outside interface. My problem is that I am not using any of these ports and have not firewall rules permitting them. Any ideas on how to close them?

2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
8080/tcp open   http-proxy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-20-2017 04:41 AM

Are you running your tests from within a firewalled network? Repeat the test from a PC that is directly connected to the internet without any additional firewall. The results can vary.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-19-2017 09:21 PM

Hi,

You can configure an access list on the outside interface of the ASA denying traffic on these ports from any source.

For example:

access-list out deny tcp any any eq 2000

access-list out deny tcp any any eq 5060

In case you need services for any other host you need to create a permit statement above these deny statements.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Go to solution
johnd2310
Level 8
Level 8

‎07-19-2017 09:23 PM

Hi,

What asa firewall software version are you running? 

Usually, you deny traffic destined to the firewall by creating an access-list and applying the access list using the access-group and control-plane keyword

e.g.

access-list HOST_FIREWALL extended deny ip any any log

access-group HOST_FIREWALL in interface OUTSIDE control-plane

if you have any services running on the firewall like VPN, then, you will need to allow the appropriate ports in your access-list.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-19-2017 09:59 PM

Make sure you don't have phone proxy configured. Those ports would be used by something like that.

Also check that is is not a false positive from your scanning tool. If you go into the ASA cli and type:

show asp table socket

..you will get a listing of the open ports (both listening and established connections). On mine I only see ssh and ssl (tcp/22 and tcp/443) open.

Go to solution
Karsten Iwen
VIP
VIP

‎07-20-2017 04:41 AM

Are you running your tests from within a firewalled network? Repeat the test from a PC that is directly connected to the internet without any additional firewall. The results can vary.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card