cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3468
Views
0
Helpful
3
Replies

Opening UDP Ports on Firewall

Saeedullah Khan
Level 1
Level 1

Hi Folks,

Is it secure to opening the UDP ports range (50,000 - 65,000) for VOIP on the firewall from the outside for video conferencing?

Saeed

1 Accepted Solution

Accepted Solutions

shunmubala
Level 1
Level 1

Hi Bro

If it's required that those wide range of UDP ports be opened, then you’ve no choice but to do it. I personally don’t like this, but I’ve been in your shoes before.

 

However, I wouldn’t worry much because by default, you’ve these settings enabled in your Cisco FW;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 

However, it’s best that you harden your Cisco ASA FW with the other features available such as threat detection as shown below;

 

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.10.173.0 255.255.255.252

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

 

Lastly, there are other features you can enable as well such as Reverse-Path Forwarding, Multi Framework Policy i.e. class-map / policy-map for your UDP traffic etc.

 

Good luck sir!

Please do check-out some configuration notes below;

1. https://www.petenetlive.com/KB/Article/0001111

2. https://supportforums.cisco.com/discussion/11208446/port-range-forwarding-post-83-asa

View solution in original post

3 Replies 3

kvaldelo
Level 1
Level 1

Hi,

You can open the ports though just take in count the security measures such as creating granular and specific rules matching only the necessary source and destinations  

nspasov
Cisco Employee
Cisco Employee

Hello Saeedullah. I have a couple of questions for you:

1. Do you have a set of outside IPs that you are looking to open this to?

2. Are you looking to open these ports to an individual internal IP? Like a VCS or MCU type device

Thank you for rating helpful posts!

shunmubala
Level 1
Level 1

Hi Bro

If it's required that those wide range of UDP ports be opened, then you’ve no choice but to do it. I personally don’t like this, but I’ve been in your shoes before.

 

However, I wouldn’t worry much because by default, you’ve these settings enabled in your Cisco FW;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 

However, it’s best that you harden your Cisco ASA FW with the other features available such as threat detection as shown below;

 

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.10.173.0 255.255.255.252

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

 

Lastly, there are other features you can enable as well such as Reverse-Path Forwarding, Multi Framework Policy i.e. class-map / policy-map for your UDP traffic etc.

 

Good luck sir!

Please do check-out some configuration notes below;

1. https://www.petenetlive.com/KB/Article/0001111

2. https://supportforums.cisco.com/discussion/11208446/port-range-forwarding-post-83-asa

Review Cisco Networking for a $25 gift card