Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 Port Blocking Question

I have an ASA 5505 running 8.4.

I am only letting ICMP traffic in from the outside.

As a test, I opened a couple of ports I need on the ASA.

I cannot access these ports and I do not get a denied error in the log.

I contacted the ISP and they are not blocking these ports.

I ran an online port scanner to check ports 1-100 as a test.  They all came up as blocked on the port scanner.  The only deny error I got on the ASA was for port 80.

Is this normal behavior?  If so, how do I get it to show all of the deny errors so I know the traffic is at least hitting the firewall?

Everyone's tags (4)
Cisco Employee

ASA 5505 Port Blocking Question

Can you please share your config?

Super Bronze

Re: ASA 5505 Port Blocking Question


Well one very common thing for my personally when starting with the ASA software 8.3 forward was that I was still using the NAT IP address in the access-list configurations instead of the local IP.

Though if this was the problem in your case you should see Deny log messages.

The easiest way to confirm if the connections are coming to the ASA is to open the graphical GUI = ASDM and check the real time monitor there (using filter if needed). ASDM logging level needs to be atleast "Informational" for the connection building and teardown to show.

The deny messages in the log should show atleast with the "Notifications" logging level. But they naturally also show with the above mentioned "Informational" too.

Though as Jennifer said, seeing your configuration would be the easiest way for us to determine what the problem is.

Heres a simple example (with made up IP addresses) of a situation where you have a Static NAT for a LAN device and you want to open http from the Internet

object network STATIC-WEBSERVER

description Web -server


nat (inside,outside) static dns

access-list OUTSIDE-IN remark Open port TCP/80 for Web -server

access-list OUTSIDE-IN permit tcp any object STATIC-WEBSERVER eq www


access-list OUTSIDE-IN remark Open port TCP/80 for Web -server

access-list OUTSIDE-IN permit tcp any host eq www

access-group OUTSIDE-IN in interface outside

- Jouni

CreatePlease to create content