Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5064
Views
0
Helpful
3
Replies

Using tcp port 0?

mikearama
Level 1
Level 1

‎06-20-2012 07:35 AM - edited ‎03-11-2019 04:21 PM

12 years as a firewall guy... and this is a first for me.

I have a request to allow firewall access to an app that apparently uses tcp port 0.  I thought it didn't exist... but good-ol' google proved that wrong.  I did find this comment:  " Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications. "

Just out of curiosity, anyone implemented an acl using port 0 before?  Any issues on the ASA side?

Thanks,

Mike

Labels:
0 Helpful
3 Replies 3

Gautam Bhagwandas
Cisco Employee
Cisco Employee

‎07-01-2012 12:08 PM

Dear Mike,

You are right. As per IANA port numbers assignment, this is a TCP port is a reserved port.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

Moreover, the ACL command does not permit you to define a port of 0 .

Here's a test from my lab ASA:

HTTS-R1-ASA5510-01(config)# $ host 1.1.1.1 eq 1 host 2.2.2.2 eq ?

configure mode commands/options:
  <1-65535>        Enter port number (1 - 65535)
  aol

HTTS-R1-ASA5510-01(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.2(3)

I also see that a syslog message is generated in this regard:

Error Message %ASA-4-500004: Invalid transport field for protocol=protocol,

from source_address/source_port to dest_address/dest_port

Explanation This message appears when there is an invalid transport number,
in which the source or destination port number for a protocol is zero.

The protocol value is 6 for TCP and 17 for UDP and therefore a tcp or udp
packet with source or destination port 0 is a malformed request.

Recommended Action If these messages persist, contact the administrator of
the peer.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4773952


So port 0 definitely looks like a very unusual thing.

0 Helpful

Gautam Bhagwandas
Cisco Employee
Cisco Employee
In response to Gautam Bhagwandas

‎07-01-2012 12:46 PM

Just wanted to append the outputs on FWSM as well where the same limitiation exists:

VL-QN-FW002/test-ne(config)# $rmit tcp host 1.1.1.1 eq ?

configure mode commands/options:

  <1-65535>        Enter port number (1 - 65535)

VL-QN-FW002(config)# show ver | inc 4.0

FWSM Firewall Version 4.0(15)

The FWSM system log message ID is the same agian (500004).

This syslog message would be generated when port 0 destined traffic is already allowed through the firewall (not within an acl permitting port 0 of course but a more generic acl that does not contain the port number and permits in general ip/tcp traffic).

0 Helpful

pan.systems
Level 1
Level 1
In response to Gautam Bhagwandas

‎01-15-2019 03:53 AM

FYI, Cisco themselves source ip sla control traffic from port 0. Yeah I know, WTF?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card