cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1362
Views
0
Helpful
8
Replies

TCP 402 blocked by ASA firewall

Hi,

We use Altiris between two VPN sites protected by a Cisco PIX (8.0) and an ASA (8.0).

Altiris communicates some multicast traffic on tcp port 402, but this traffic get blocked by the firewalls with this message:

%pix-6-106015: deny tcp (no connection) from x.x.x.x/4597 to x.x.x.x/402 flags psh ack on interface inside

I've looked through the IP audit signatures and the service policy rules, but the port 402 does not appear anywhere.

Does anyone have a clue?

Thanks in advance,

Rasmus

8 Replies 8

I should mention that the whole IP stack has been allowed both ways through this connection. Somehow this port (recoqnized as "genie" but used by Altiris multicast) is blocked on the way.

Hi,

You could write an access-list to specifically allow communication on port 402. The example below allows hosts to communicate via port 402:

access-list outside_access_in permit tcp any host 217.x.x.115 eq 402

ip address outside 217.x.x.115 255.255.255.248

static (inside,outside) 217.x.x.115 192.168.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

If you could post your config too, I can take a look to see if anything else is missing.

Please rate this post if it helps.

But when the access list already in place permit ip any any (roughly) would that make a difference at all?

I'll get back to you with an edited edition of the config.

Thanks for your reply.

Have you looked at your inspect statements? I would take out the global_policy for a test.

Jake

gbudd12345
Level 1
Level 1

Is it just the multicast traffic that is getting blocked? You might have to have the ASA route the multicast traffic.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/multicst.html#wp1062430

--Gavin Budd

I tried specifically adding rules to allow port 402 (though the whole IP stack has been permitted), and there was no difference.

I have now enabled multicast routing, so lets see if that changes anything. I will get back to you :)

Thanks for all you answers,

Rasmus

Tried enabling multicast routing but it makes no difference :(

Any last suggestion? I'm going out of my mind - there's nothing about tcp port 402 in the security policies (deep inspection) and still this port gets blocked.

Thanks in advance,

Rasmus

please try use sniffer capture data,skip ASA and use sniffer capture data,analyse both differ.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: