Are ports 80 & 443 permitted by default on an ASA?

Unanswered Question
Mar 1st, 2010
User Badges:

Recently I was asked to permit port 1494 on an ASA so that the users inside the company could access a remote site Citrix Server. While reviewing the config, I noticed that there is no permit statement for ports 80 and port 443 for the outside interface, but the users behind the ASA could access internet and https traffic.


So, are ports 80 & 443 permitted on an ASA by default once a public IP has been assigned to the outside interface.


Also, will the below config help me to permit port 1494 for the outside interface, so that user application can access the remote Citrix Server.


!
interface Ethernet0/0
nameif outside
security-level 0
ip address 89.X.Y.Z 255.255.255.248
!

!

access-list out extended permit tcp any host 89.X.Y.Z eq 1494 log

!

access-group out in interface outside


Thanks in Advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
trustcisco Mon, 03/01/2010 - 05:16
User Badges:

Are you trying to allow internet users to have access to your citrix server which is located in your lan ?


80/443 as far as i remember are not allowed by default. You will need a nat and acl statement to allow 80/443 traffic.


Although traffic coming from a higher security level interface to a lower is permitted i don't think that by assigning an ip address to your outside interface will permit 80/443 traffic automatically.

Panos Kampanakis Mon, 03/01/2010 - 08:33
User Badges:
  • Cisco Employee,

If traffic is initiated outbound (from in to out) and there is no ACL applied on your inside interface then all outbound traffic will be allowed,


Otherwise you need to allow it with ACL on the interface that the traffic is initiated from.

NAT also will come into play.


I hope it helps.


PK

joshxworley Mon, 03/01/2010 - 13:57
User Badges:

On an ASA, each interface has a security level. Typically, outside has a security rating of 0, and inside has a security rating of 100. The higher the security rating, the higher level of trust.


Because the inside zone has a higher security rating than the outside, no ACL is necessary for traffic to route. However, for people accessing your inside network through the outside interface (in your case, the internet), specific ACL statements must be made to permit traffic. For example, an FTP service on your inside network. For someone to access your FTP server from over the internet, you'd have to put an ACL on the outside interface and permit traffic (you can specify source and destination IPs/ports).


In your situation regarding inside network users needing to access a remote Citrix server, you should not have to do anything except verify that firewall the Citrix server sits behind permits your PAT IP (assuming you use NAT overloading on your outside interface IP address) for access.


Hope this helps. Good luck.

jennyjohn Mon, 03/01/2010 - 23:22
User Badges:

No, I am trying to allow users in my network to access a citrix server that is outside in a remote site.

My users are complaining that after they establish a RA-VPN with the remote site they cannot communicate with the citrix server in the remote site.

So should I have an ACL on the outside inteface of the ASA to permit port 1494, so the citrix traffic can come back into my network?

Panos Kampanakis Tue, 03/02/2010 - 06:13
User Badges:
  • Cisco Employee,

If the citrix traffic should go through the VPN then no.

Check split tunneling and crypto ACL to see if it is matching the traffic.


PK

Actions

This Discussion