Need Help on Port Blocking in ASA

engrhaiderabbas · ‎07-23-2013

Dear All,

I have configured firewall and allow only port 443 and deny all tcp ports for destination, but when i am scanning from port scanner it shows several tcp ports are enabled.. need your seuggestion and help on it.. how to block these tcp ports..

Early response is required..

Thanks

Jouni Forss · ‎07-23-2013

Hi,

You have not given any configurations to reference or mentioned at all the ports that were open in the scanner.

We would need a bit more information to go on.

- Jouni

engrhaiderabbas · ‎07-23-2013

Below is the configuration..

access-list extended permit tcp any host ip eq https

access-list extended deny ip any any

Jouni Forss · ‎07-23-2013

Hi,

Still don't know the ports that were supposedly open.

Though if that is the ACL you have bound to the "outside" interface on the ASA then it should be blocking the connections through the ASA for everything else other than the TCP/443 for a single destination IP address.

Then there is naturally the ASAs own services and ports on which its listening on.

You can check that with the following command

show asp table socket

Most likely the ports that are open on the ASA are the ones used for management purposes perhaps

Those set with the following commands

telnet

ssh

http

You also have the option to create an ACL that blocks all traffic to the ASA "outside" interface IP address. You can then attach it with "access-group" command

access-group in interface outside control-plane

This would limit the "To the Box" traffic. Though the above mentioned management commands "telnet", "ssh" and "http" would still override this ACL.

- Jouni