Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Opening ports on ASA 5520

I need to open ports 4480 and 4481 in preparation for PARCC testing in our district. How would I create this rule to allow traffic to/from any IP address on the inside interface?

Super Bronze

Opening ports on ASA 5520


First thing we would need to know is if the connections for ports 4480 and 4481 are TCP or UDP or both? We would also need to know which host/server opens/forms these connections? Are the connections opened from your LAN or from the WAN?

When the ASA allows a connection it will naturally allow any return traffic for this connection. This means when you have allowed the original opening direction of this connection then the return traffic back to the original connecting host will be allowed by the firewall.

If your LAN host opens the connection then I would imagine that this traffic is already allowed since in most environments most traffic outbound is usually allowed.

If these connections are formed from the WAN then first you would naturally need a NAT configuration for the host to which they are connecting to. Each host that is connected from the external network need their own NAT configuration or this connectivity is not possible.

On the ASA there is a command called "packet-tracer" that will let you test different type of packets entering the ASA on a certain interface. This will tell you if it will be allowed or blocked by something.

If you for example have an interface called "inside" and there you have an host with IP address that is trying to form a connection to an external host with the IP address with the destination port TCP/4480 then you could test that with the command

packet-tracer input inside tcp 12345 4480

But as I said above, we need some clarifications on the actual situation and requirements to determine what is needed for the connections to work.

We might have to take a look at the current configurations also.

- Jouni

CreatePlease to create content