Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8194
Views
17
Helpful
6
Replies

How to determine if ASA is blocking Traffic or not?

Go to solution
mahesh18
Level 6
Level 6

‎10-15-2012 09:33 PM - edited ‎03-11-2019 05:09 PM

Hi everyone,

i am supporting ASA  in client office.I am new to ASA  world.

Users mostly ask for to check if ASA is allowing specfic port or not.

I do not know how can i check that.

Is there any way that i can determine if ASA  is blocking port or not?

If ASA is blocking port what steps i need to take to allow the ASA  to allow the specif port?

regards

mahesh

1 person had this problem
Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Muhammad Thanveer
Level 5
Level 5

‎10-15-2012 10:00 PM

This is very simple,

Do telnet example

go to command prompt

telnet destination ip addresss port no

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

View solution in original post

0 Helpful

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to Muhammad Thanveer

‎10-15-2012 10:12 PM

Dear Mahesh,

Some times port for the server may not be enabled on the server it self, in that scenario you will not be able to do telnet from the source, hence you should first do telnet from the same server segment ip series, because there may be no firewall in the same server segment, if you are able to do telnet from same server segment ip then server side is ok .

Now if you are able to do telnet from source machine, then port is ok from server side and asa is allowing the traffic.

If you are doing from the client machine and you are uinable to do telnet then asa is not allowing  the traffic and there is no issue from server side.

If you are not able to do telnet from same server ip series itself then port is not enabled on server itself.

Plese rate if information provided is helpful.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2012 05:17 AM

Hello Mahesh,

Run an scan using Nmap or any other scanning tool,

If the port is being blocked just create the proper ACL changes to make it work , nat might be required as well.

Any other question..Sure..Just remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Go to solution
mathieupoussin
Level 1
Level 1

‎10-16-2012 07:25 AM

Use the packet-tracer command on the firewall, like this :

packet-tracer input scr-inside tcp 192.168.3.67 9999 8.8.8.8 80

(scr-inside = input interface) then source ip/port and destination ip/port

View solution in original post

6 Replies 6

Go to solution
Muhammad Thanveer
Level 5
Level 5

‎10-15-2012 10:00 PM

This is very simple,

Do telnet example

go to command prompt

telnet destination ip addresss port no

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to Muhammad Thanveer

‎10-15-2012 10:12 PM

Dear Mahesh,

Some times port for the server may not be enabled on the server it self, in that scenario you will not be able to do telnet from the source, hence you should first do telnet from the same server segment ip series, because there may be no firewall in the same server segment, if you are able to do telnet from same server segment ip then server side is ok .

Now if you are able to do telnet from source machine, then port is ok from server side and asa is allowing the traffic.

If you are doing from the client machine and you are uinable to do telnet then asa is not allowing  the traffic and there is no issue from server side.

If you are not able to do telnet from same server ip series itself then port is not enabled on server itself.

Plese rate if information provided is helpful.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Muhammad Thanveer

‎04-22-2013 06:00 PM

Hi Thannveer,

Many thanks for reply.

Regards

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2012 05:17 AM

Hello Mahesh,

Run an scan using Nmap or any other scanning tool,

If the port is being blocked just create the proper ACL changes to make it work , nat might be required as well.

Any other question..Sure..Just remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
mathieupoussin
Level 1
Level 1

‎10-16-2012 07:25 AM

Use the packet-tracer command on the firewall, like this :

packet-tracer input scr-inside tcp 192.168.3.67 9999 8.8.8.8 80

(scr-inside = input interface) then source ip/port and destination ip/port

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to mathieupoussin

‎10-16-2012 09:50 PM

nice command Mathieu.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card