Need Help to Open Port

Unanswered Question
Dec 23rd, 2009


I want to Open UDP Port 161 on our Cisco ASA 5510.

Kindly guide me to do the same.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 12/23/2009 - 07:33

You need to open the ACLs.

ACL applied to outside interface destined to that port. If you have an inside interface ACL make sure traffic sourced from port 161 is also allowed.

Make sure there is translation for the inside ip address port 161. You will need a static NAT or PAT.

static (inisde,outside)

static (inisde,outside) 161 161

I hope it helps.


sachinraja Wed, 12/23/2009 - 07:50

Hi Vishal

Do you want to configure SNMP (UDP 161) on your ASA or do you want to allow SNMP access through your firewall ??

If you want to enable SNMP on ASA please use this guide:

if it is the second case -> of allowing SNMP access you can configure access-lists... by default ASA allows traffic from inside to outside (unless you have an ACL already).. for access from outside to inside, you need ACLs

access-list inside permit udp x.x.x.x a.a.a.a eq 161

Let me know the exact issue and we will try to solve it..


vishalthakur1983 Wed, 12/23/2009 - 19:45

Thanks for your response.

We are using What's Up Gold Monitoring tool and to monitor windows services, our support person suggest to open Port (UDP 161) from firewall.

Attached pls find show tech of ASA.

Kureli Sankar Wed, 12/23/2009 - 20:11


I believe this answers Raj's question to some extent.  Meaning I understand it is "THROUGH" the firewall and not "TO" the firewall. Still, I am not sure where the monitoring server is and where the windows servers are.

topology 1:

monitoring server-----(inside)---------ASA-----(dmz or outside)---- windows server

You do not need to configure anything special since you have the following configured already.

access-list inside1 extended permit ip any any

toplogy 2:

windows servers ----(inside) --------ASA------(dmz or outside)---monitoring server.

If it is the above, then we need to create static translation for all the inside servers.

You can do either nat exemption with acl or static identity or static pat for udp port 161

Permission you already have this configured ccess-list outside1 extended permit ip any any

You may want to tighten this ACL.

assuming the monitoring server is on the outside:

static (i,o) i.i.i.i i.i.i.i ----> this is identity static

static (i,o)o.o.o.o i.i.i.i -----> where o.o.o.o is the translated address and i.i.i.i is the internal address

nat (inside) 0 access-list nat0 - --> this is nat exemption with acl

access-list nat0 permit ip i.i.i.0/24 x.x.x.x

Now, knowing what whatsup gold does and how it needs to be configured I would place whatsup gold where all the servers are so, it can monitor them without having to go through the firewall. But, you know your network better than we do so, the above are your options.



This Discussion