Solved: Firewall access rule question regarding TCP

Eric Washington · ‎05-07-2013

I found the following rule on an ASA:

Source Destination Service

Marketing any tcp

Does this mean that marketing can access any tcp service since it doesn't specify one (http-80 or https-443 for example)?

When I move the mouse over it I see it says tcp (6). So is 6 the port and what exactly does this allow?

If my question sounds completely ridiculous just blame it on me being a rookie. Thanks in advance!

Jouni Forss · ‎05-07-2013

Hi,

I guess the rule must be from ASDM?

It would seem to me that the "Marketing" might be some "object-group" that defines several addresses or subnets/networks.

So it seems that will allow all TCP connections through the interface where that rule is attached from the networks/addresses mentioned in "Marketing"

Though there is naturally more things that factor to where the hosts can actually connect. Lacking some NAT configuration or having some NAT configuration might mean that even though evertyhing is permitted, they still wouldnt go through. Naturally routing etc might play some part also.

The tcp (6) you see when hovering your mouse pointer over the section just tells that we are talking about TCP. The number refers to TCP protocol number which is 6. UDP would be 17

You can check the listing here:

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

Hope this helps

Please mark correct replys as the correct answer and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-07-2013

Hi,

I guess the rule must be from ASDM?

It would seem to me that the "Marketing" might be some "object-group" that defines several addresses or subnets/networks.

So it seems that will allow all TCP connections through the interface where that rule is attached from the networks/addresses mentioned in "Marketing"

Though there is naturally more things that factor to where the hosts can actually connect. Lacking some NAT configuration or having some NAT configuration might mean that even though evertyhing is permitted, they still wouldnt go through. Naturally routing etc might play some part also.

The tcp (6) you see when hovering your mouse pointer over the section just tells that we are talking about TCP. The number refers to TCP protocol number which is 6. UDP would be 17

You can check the listing here:

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

Hope this helps

Please mark correct replys as the correct answer and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

Eric Washington · ‎05-07-2013

Hello Jouni!

Yes I am using ASDM and marketing is a network object group with six network objects.

So if I understand you correctly, that rule will allow all TCP connections unless there is a NAT rule preventing it?

Thanks for your help!

Jouni Forss · ‎05-07-2013

Hi,

I might have just complicated things mentioning about NAT and Routing.

In general the interface ACL should be the "only" thing on your ASA that controls the traffic.

Why I mentioned NAT was simply due to the fact that in some cases even if you had allowed some traffic, if you LACKED a certain NAT configuration, the connection could still fail.

In most cases when we are talking about ASA interfaces and local LAN networks there is no NAT configurations between these networks. So the ACL should most of the time be the only thing that controls access between different interfaces of the ASA

- Jouni