06-20-2012 07:35 AM - edited 03-11-2019 04:21 PM
12 years as a firewall guy... and this is a first for me.
I have a request to allow firewall access to an app that apparently uses tcp port 0. I thought it didn't exist... but good-ol' google proved that wrong. I did find this comment: " Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications. "
Just out of curiosity, anyone implemented an acl using port 0 before? Any issues on the ASA side?
Thanks,
Mike
07-01-2012 12:08 PM
Dear Mike,
You are right. As per IANA port numbers assignment, this is a TCP port is a reserved port.
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Moreover, the ACL command does not permit you to define a port of 0 .
Here's a test from my lab ASA:
HTTS-R1-ASA5510-01(config)# $ host 1.1.1.1 eq 1 host 2.2.2.2 eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
HTTS-R1-ASA5510-01(config)# show ver
Cisco Adaptive Security Appliance Software Version 8.2(3)
I also see that a syslog message is generated in this regard:
Error Message %ASA-4-500004: Invalid transport field for protocol=protocol,
from source_address/source_port to dest_address/dest_port
Explanation This message appears when there is an invalid transport number,
in which the source or destination port number for a protocol is zero.
The protocol value is 6 for TCP and 17 for UDP and therefore a tcp or udp
packet with source or destination port 0 is a malformed request.
Recommended Action If these messages persist, contact the administrator of
the peer.
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4773952
So port 0 definitely looks like a very unusual thing.
07-01-2012 12:46 PM
Just wanted to append the outputs on FWSM as well where the same limitiation exists:
VL-QN-FW002/test-ne(config)# $rmit tcp host 1.1.1.1 eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
VL-QN-FW002(config)# show ver | inc 4.0
FWSM Firewall Version 4.0(15)
The FWSM system log message ID is the same agian (500004).
This syslog message would be generated when port 0 destined traffic is already allowed through the firewall (not within an acl permitting port 0 of course but a more generic acl that does not contain the port number and permits in general ip/tcp traffic).
01-15-2019 03:53 AM
FYI, Cisco themselves source ip sla control traffic from port 0. Yeah I know, WTF?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide