03-26-2008 05:37 AM - edited 03-11-2019 05:22 AM
Hi,
We use Altiris between two VPN sites protected by a Cisco PIX (8.0) and an ASA (8.0).
Altiris communicates some multicast traffic on tcp port 402, but this traffic get blocked by the firewalls with this message:
%pix-6-106015: deny tcp (no connection) from x.x.x.x/4597 to x.x.x.x/402 flags psh ack on interface inside
I've looked through the IP audit signatures and the service policy rules, but the port 402 does not appear anywhere.
Does anyone have a clue?
Thanks in advance,
Rasmus
03-26-2008 06:14 AM
I should mention that the whole IP stack has been allowed both ways through this connection. Somehow this port (recoqnized as "genie" but used by Altiris multicast) is blocked on the way.
03-26-2008 07:56 AM
Hi,
You could write an access-list to specifically allow communication on port 402. The example below allows hosts to communicate via port 402:
access-list outside_access_in permit tcp any host 217.x.x.115 eq 402
ip address outside 217.x.x.115 255.255.255.248
static (inside,outside) 217.x.x.115 192.168.1.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
If you could post your config too, I can take a look to see if anything else is missing.
Please rate this post if it helps.
03-26-2008 08:40 AM
But when the access list already in place permit ip any any (roughly) would that make a difference at all?
I'll get back to you with an edited edition of the config.
Thanks for your reply.
03-26-2008 09:52 AM
Have you looked at your inspect statements? I would take out the global_policy for a test.
Jake
03-27-2008 08:54 AM
Is it just the multicast traffic that is getting blocked? You might have to have the ASA route the multicast traffic.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/multicst.html#wp1062430
--Gavin Budd
03-31-2008 02:14 AM
I tried specifically adding rules to allow port 402 (though the whole IP stack has been permitted), and there was no difference.
I have now enabled multicast routing, so lets see if that changes anything. I will get back to you :)
Thanks for all you answers,
Rasmus
04-01-2008 01:33 AM
Tried enabling multicast routing but it makes no difference :(
Any last suggestion? I'm going out of my mind - there's nothing about tcp port 402 in the security policies (deep inspection) and still this port gets blocked.
Thanks in advance,
Rasmus
04-10-2008 10:23 PM
please try use sniffer capture data,skip ASA and use sniffer capture data,analyse both differ.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: