Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 4.0 behind a Firewall

Hi, We have an ACS 4.0 behind a Firewall..

I want to know what are the ports that need to be opened up other than 2002 for remote login purpose..?

Any idea..?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS 4.0 behind a Firewall

Hi,

ACS is accessible via tcp 2002, for initial connection. For subsequent access (moving from page to page), it will randomly used ports 2003 or higher (tcp).

To access this box remotely, you need to open a range of ports, e.g 2002 -> 3500, or 2002 -> 5000. Pls be careful when specifying the range, as too many ports allowed ports MIGHT pose a risk to your ACS server.

example:

access-list outside permit tcp host range 2002 5000

Hope this help.

Rgds,

AK

8 REPLIES

Re: ACS 4.0 behind a Firewall

Hi,

ACS is accessible via tcp 2002, for initial connection. For subsequent access (moving from page to page), it will randomly used ports 2003 or higher (tcp).

To access this box remotely, you need to open a range of ports, e.g 2002 -> 3500, or 2002 -> 5000. Pls be careful when specifying the range, as too many ports allowed ports MIGHT pose a risk to your ACS server.

example:

access-list outside permit tcp host range 2002 5000

Hope this help.

Rgds,

AK

Community Member

Re: ACS 4.0 behind a Firewall

Thank you, yes i can see it uses really wide range, which can be a threat to the server..

So, I was interested in knowing the exact range... Is this documented somewhere..?

Re: ACS 4.0 behind a Firewall

Hi,

I think the port range is dynamically opened based on how many times you accessed (move around the menus) the server, and how many admin user accessing it.

As for the doc, I have not come across any yet.

Rgds,

AK

Community Member

Re: ACS 4.0 behind a Firewall

Well, i think it is not just 2002 to 5000...

Now i have session opened with 1824.. Guess it is random, so we are thinking of opening 1000 to 5000, let us see how it goes..

Re: ACS 4.0 behind a Firewall

Ok, but to be safe, make sure you set/limit max connection to your ACS via the static command and limit external access to only addresses know to you (if applicable):

Example:

a. Static map

static (inside,outside)

static (inside,outside) 10.10.10.10 192.168.1.10 10 20

10 = max connection

20 = embryonic session @ half open session

*set according to how many admin user need to establish connection to ACS

b. ACL limiting access to ACS:

access-list outside permit tcp host range 2002 5000

access-list outside permit tcp 172.x.x.0 255.255.255.0 host 10.10.10.10 range 2002 5000

Good luck.

Rgds,

AK

Community Member

Re: ACS 4.0 behind a Firewall

What about a VPN? Then you could avoid opening any ports, etc...

Silver

Re: ACS 4.0 behind a Firewall

Hi

If you look at the "Access Policy" page under "Admin Control" you'll notice you can change the default port range from 2004..20050 to whatever values you choose.

..but dont go below 2004 as ACS will stop working!

Darran

Community Member

Re: ACS 4.0 behind a Firewall

Hi Darran, That was a good tip.. That fixed my problem..

Now i have same issue with LMS... Is there a way to fix this in LMS as well? :-)

286
Views
5
Helpful
8
Replies
CreatePlease to create content