Solved: Access-list same source/destination port

h.dam · ‎02-02-2018

Hello,

Sorry for this stupid question on a FW ASA configuration, but I need to understand the difference.

example:

access-list DMZ_IN extended permit udp object SRVA eq 8082 object SRVB eq 8082

since the source/destination ports are the same, can I change to this:

access-list DMZ_IN extended permit udp object SRVA object SRVB eq 8082

If I omit the source port, does it mean it is a dynamic one? or the port is the same as destination?

Thank you very much.

Flavio Miranda · ‎02-02-2018

Hi @h.dam

You're right. And the first approach is incorrect mostly.

In a TCP/UDP transaction, the source port is randomly choose, so, if you determine the source port in a ACL, huge chances are that the ACL will not work. Unless the application you are handle permit you to determine the source port, which for instance, I never saw.

So, the proper way to do that is what you propose.

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Flavio Miranda · ‎02-02-2018

Hi @h.dam

You're right. And the first approach is incorrect mostly.

In a TCP/UDP transaction, the source port is randomly choose, so, if you determine the source port in a ACL, huge chances are that the ACL will not work. Unless the application you are handle permit you to determine the source port, which for instance, I never saw.

So, the proper way to do that is what you propose.

-If I helped you somehow, please, rate it as useful.-