cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

539
Views
10
Helpful
8
Replies
Highlighted
Beginner

Open Firewall Ports

I am a firewall newbie so please excuse my ignorance. I need to open some firewall ports to setup a Barracuda web filter. Do I open ports under NAT Rules in ASDM 7.9 or some other place? Thanks for any guidance, I really appreciate it.

 

Here are the ports I need to open:

Port   Direction    Protocol    Description

22In/OutTCPRemote diagnostics
25OutTCPEmail and email bounces
53OutTCP/UDPDNS (Domain Name Server)
80OutTCPVirus, spyware, category definition updates, and firmware updates
123In/OutUDPNTP (Network Time Protocol)
8000In/OutTCPTo access web interface.

8002

In/OutTCP

Synchronization between linked systems. 

23557In/OutTCP 
8 REPLIES 8
Highlighted
Beginner

They are access control rules that will need adding to your access control list, I presume the firewall is already configured and has ACLs you can add those rules to ?  See the link below, remember to be specific and only allow the ports required to the source / destinations required.  If you don't usually do it it's probably worth doing it with someone or getting someone to peer review if possible ?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112925-acl-asdm-00.html

Highlighted

@rmathieson7 

Thank you for your help. I will follow your instruction and provided link.

 

Highlighted

I have created both Access and NAT Rules. (see screenshot). I get confused when on the direct; some ports are Out and the other ports are In/Out. Also, for example, when I try to do Port 22, it comes up as SSH instead of TCP.

fw1.pngfw2.pngfw3.png

Highlighted

Hi,
Your ACL from traffic inside to outside is permitting "any" from inside to outside, so you shouldn't explicitly need to permit any outbound traffic.

Why do you need to permit the traffic "in" for NTP, SSH, access to the web interface, sync etc? Is this system being remotely managed from outside the firewall? If not I don't see why you should need these rules. The firewall is stateful, so any traffic you permit outbound will automatically be permitted back in.

SSH uses TCP protocol port 22.

HTH
Highlighted

@Rob Ingram @rmathieson7 

 

I believe I setup the Access and NAT correctly. How does it know that I want port 80 to go to 81? Do I have to enter 81 somewhere?

 

fw8.pngfw9.png

Highlighted

@Rob Ingram @rmathieson7 

 

I have several sites on my web server in IIS. Some I want public and some I need private (internal use only).

 

The private sites use port 80 and 443. The public sites use 81 and 444. I need to ensure that traffic from WAN to LAN is forwarded from 80 to 81, and 443 to 444.While keeping 80/443 hidden or internal only. Hope this makes sense. Thanks for all the help!!

Highlighted

If the sites you want exposed to the public only listen on ports 81 & 444 then you could to this with a static NAT & just allow those ports through the firewall from the WAN to LAN ?  Slightly less common ports so will prevent a little bit of sniffing.  Is that feasible or do you need to ensure WAN traffic uses an existing connection string that you can't modify ?

 

From a security perspective I'd advise you use a different web server for internal and external sites.  I'd also be concerned by the IPv4 any - outside being permitted but that will take some time and effort now a few services will be relying on it.  One to resolve over time.

 

For the TCP/22 showing as SSH, it's just a known port so the ASA does it automatically as per HTTP/S.  You can also create port objects and call them what you like.

Highlighted

@rmathieson7 @Rob Ingram 

 

I have all my Private Sites setup separately from Public Sites. See screenshot below.

fw22.png

Content for Community-Ad