Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2523
Views
0
Helpful
1
Replies

Listening ports on and filtering into ASA

AlexFer
Level 1
Level 1

‎06-08-2020 06:36 PM

Hi experts,

our ASA (on FPR) is performing site-to-site IPsec VPN Gateway duties, however, "show asp table socket" doesn't show UDP/500 and UDP/4500 (or ESP). (ASA's interface IP address is used as local VPN Gateway address.)

Q1. Is there a command to show ALL listening ports?

Q2. What is the recommended method to filter remote IPsec VPN Gateways able to connect to my IPsec VPN Gateway (ie. my ASA)?

Q3. What is recommended method to filter remote RA VPN client addresses able to connect to a tunnel-group (ie. on my ASA)?

R's, Alex

 

foo-border-4110/pri/act# show asp table socket
Protocol Socket   State  Local Address        Foreign Address
SSL      000a2118 LISTEN 140.{redacted}:443   0.0.0.0:*
SSL      000a2208 LISTEN fd5f:{redacted}]:443 [::]:*
TCP      00003c38 LISTEN [::]:22              [::]:*
TCP      00003d38 LISTEN 140.{redacted}:22    0.0.0.0:*

 

0 Helpful
1 Reply 1

AlexFer
Level 1
Level 1

‎06-10-2020 11:53 PM

For posterity.... Response from Cisco engineer I sneaked-into another SR:

> Q1. Is there a command to show ALL listening ports?

"show asp table classify domain permit" is almost there - excludes ESP.

> Q2. What is the recommended method to filter remote IPsec VPN Gateways able to connect to my IPsec VPN Gateway (ie. my ASA)?

"access-group local-outside .. control-plane"

> Q3. What is recommended method to filter remote RA VPN client addresses able to connect to a tunnel-group (ie. on my ASA)?

Cannot be done simply (using an ACL).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card