Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Custom Inspection rule for ASA

Hi Guys,


I am running two ASA at two different sites, with versions 8.4(5) and 8.2(3).

I have inside users with a client-software having issue connecting to a third part site, which runs a specific application requires, some ports open for their application to work correctly.

I was told by the their party vendor: "If you are connecting from a personal computer that is behind a corporate firewall, the following ports should be opened:"


  • TCP Port 443 Secure Web Access to their Portal Application Server


  • TCP Port 17992 EMCP protocol Client Connection to their Portal Application Server


  • TCP Port 17990 SCIP protocol Client Connection to their Personal Videoconferencing Router


  • UDP 50,000-53,000 RTP/SRTP media - Inbound/outbound Media feeds to participants.
  • The ports have to be opened in both directions to remote-server IP Address range / 24.



I guess, I have to create a class, ACL and inspect them under the "policy-map global_policy".


Does anyone knows the full syntax, what need to be created as per above bullet points requirement? 


Thanks in advance.

Rizwan Rafeek.


Hi Rizwan, I beleive ACL and

Hi Rizwan,


I beleive ACL and NAT alone will be enough for this requirement. If needed you can have the Qos for the specified traffic.


Sample config:


object-group service <Name> tcp
 port-object eq 443
 port-object eq 17992
 port-object eq 17990

on your inside interface binded ACL ( Outbound)

access-list <outbound> permit tcp < LAN Subnet> <Mask> object-group <Name of the Object Group>
access-list <outbound> permit udp < LAN Subnet> <Mask> range 50000 53000

on your outside interface binded ACL ( inbound)

access-list <inbound> permit tcp < LAN Subnet> <Mask> object-group <Name of the Object Group>
access-list <inbound> permit udp < LAN Subnet> <Mask> range 50000 53000

Hope this helps




Hi Karthik, Thank you for

Hi Karthik,


Thank you for taking the time to responding this thread.

There is a dynamic nat already in place for internal users to access Internet, therefore there is no need for permit-line required on the outside interface on any direction for that matter.  This solution has been based on correctly inspecting the traffic via the globe policy.






Hi Rizwan, I agree with you.

Hi Rizwan,


I agree with you. But for video conferencing and some other apps will require to be allowed vice versa. Because the traffic can be initiated from both the ends.


If you want inspect to happen for these specific requirement from customer. Then you can have an access-list and map it to the class-map following with mapping that class-map to the policy-map.




CreatePlease to create content