cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

196
Views
10
Helpful
3
Replies
Participant

Application port allow in firewall (like ftp active and passive)

Dear All,

i a bit confuse in TCP connection initiation between some server and clients applications and how to allow the traffic in firewall.Because i confuse in session layer.

For Example:Server is listen port 3000 for any clients .

If the clients request to server ; destination port is 3000 and src port is random port (eg.2000), which port (destination port and src port) will server use to reply to client  ? Server use random high port ?

OR. Server reply to client with destination port as 2000 and random port is its src port ?

 

In firewall ,i only need to allow port 3000 uni direction traffic ? do i need to open bi-direction ?

 

Or do i need to allow all high port in firewall like passive FTP traffic ?

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Application port allow in firewall (like ftp active and passive)

firewalls are statefull, so in 99% of the cases you allow traffic from source to destination and you allow a certain destination port. so if you allow from source to destination on tcp/3000 then really you dont care much about the port the source would like its reponse back on. 

 

Firewall typically allow the return traffic as its statefull. although you can be more granular than that.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

3 REPLIES 3
VIP Advisor

Re: Application port allow in firewall (like ftp active and passive)

firewalls are statefull, so in 99% of the cases you allow traffic from source to destination and you allow a certain destination port. so if you allow from source to destination on tcp/3000 then really you dont care much about the port the source would like its reponse back on. 

 

Firewall typically allow the return traffic as its statefull. although you can be more granular than that.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Participant

Re: Application port allow in firewall (like ftp active and passive)

Hi,

Thank for your explain.

Please let me know below links scenario is different with your explanation? it is not Cisco ASA firewall example. Because after i reading below link i got the above post question.The below link are related with passive ftp only  ? Not related for other traffic ?

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Configuration 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFeCAK 

 

Everyone's tags (1)
Beginner

Re: Application port allow in firewall (like ftp active and passive)

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here