Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3467
Views
0
Helpful
3
Replies

Opening UDP Ports on Firewall

Go to solution
Saeedullah Khan
Level 1
Level 1

‎08-08-2016 11:06 PM - edited ‎03-12-2019 01:06 AM

Hi Folks,

Is it secure to opening the UDP ports range (50,000 - 65,000) for VOIP on the firewall from the outside for video conferencing?

Saeed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shunmubala
Level 1
Level 1

‎08-16-2016 11:17 PM

Hi Bro

If it's required that those wide range of UDP ports be opened, then you’ve no choice but to do it. I personally don’t like this, but I’ve been in your shoes before.

 

However, I wouldn’t worry much because by default, you’ve these settings enabled in your Cisco FW;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 

However, it’s best that you harden your Cisco ASA FW with the other features available such as threat detection as shown below;

 

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.10.173.0 255.255.255.252

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

 

Lastly, there are other features you can enable as well such as Reverse-Path Forwarding, Multi Framework Policy i.e. class-map / policy-map for your UDP traffic etc.

 

Good luck sir!

Please do check-out some configuration notes below;

1. https://www.petenetlive.com/KB/Article/0001111

2. https://supportforums.cisco.com/discussion/11208446/port-range-forwarding-post-83-asa

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kvaldelo
Level 1
Level 1

‎08-10-2016 11:48 AM

Hi,

You can open the ports though just take in count the security measures such as creating granular and specific rules matching only the necessary source and destinations  

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎08-16-2016 01:00 PM

Hello Saeedullah. I have a couple of questions for you:

1. Do you have a set of outside IPs that you are looking to open this to?

2. Are you looking to open these ports to an individual internal IP? Like a VCS or MCU type device

Thank you for rating helpful posts!

0 Helpful

Go to solution
shunmubala
Level 1
Level 1

‎08-16-2016 11:17 PM

Hi Bro

If it's required that those wide range of UDP ports be opened, then you’ve no choice but to do it. I personally don’t like this, but I’ve been in your shoes before.

 

However, I wouldn’t worry much because by default, you’ve these settings enabled in your Cisco FW;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 

However, it’s best that you harden your Cisco ASA FW with the other features available such as threat detection as shown below;

 

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.10.173.0 255.255.255.252

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

 

Lastly, there are other features you can enable as well such as Reverse-Path Forwarding, Multi Framework Policy i.e. class-map / policy-map for your UDP traffic etc.

 

Good luck sir!

Please do check-out some configuration notes below;

1. https://www.petenetlive.com/KB/Article/0001111

2. https://supportforums.cisco.com/discussion/11208446/port-range-forwarding-post-83-asa

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card