Solved: identify ports between PCs

LionKin1984 · ‎07-22-2015

Hello Guys

I need to identify ports between two PCs so that I can lock them down via ACL on ASA5512-x, the problem is how do I know what ports should be allowed and what should be denied?

I am aware of 'netstat', but does it mean every single port on netstat needs to be opened?

Thanks

Karsten Iwen · ‎07-22-2015

Your application-support-team should be able to tell you which ports the PCs need. In reality, they typically don't know.

One way to find out is to start with a "deny ip any any" and wait for the complains. Then add the needed ACEs for communication that is desired.

Or start with an ACL that allows all, but also logs the traffic. There you can identify was is done by the PC, and allow all that is needed. After some time you just remove the last "permit ip any any"-line.

View solution in original post

Karsten Iwen · ‎07-22-2015

Your application-support-team should be able to tell you which ports the PCs need. In reality, they typically don't know.

One way to find out is to start with a "deny ip any any" and wait for the complains. Then add the needed ACEs for communication that is desired.

Or start with an ACL that allows all, but also logs the traffic. There you can identify was is done by the PC, and allow all that is needed. After some time you just remove the last "permit ip any any"-line.

LionKin1984 · ‎07-22-2015

Thanks for your reply Karsten, allow any any and log sounds like a brilliant idea, I ll try that

Cheers