Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Ports showing open on ASA appliance

I have several ports showing open on our ASA appliance when scanned by NMAP on the outside interface. However these ports are not configured open in the ACL that faces outside guarding against inbound traffic.

The ports are 988, 993.

Has anyone seen this behavior before?

I tried putting up deny any any 988 and it still scans showing them open...

Thanks

2 REPLIES
Silver

Re: Ports showing open on ASA appliance

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you must assign your most secure network, such as the inside host network, to level 100. While the outside network that is connected to the Internet can be level 0, other networks, such as DMZs, can be positioned in between. You can assign multiple interfaces to the same security level.

By default, all ports are blocked on the outside interface (security level 0), and all ports are open on the inside interface (security level 100) of the security appliance. In this way, all outbound traffic can pass through the security appliance without any configuration, but inbound traffic can be allowed by the configuration of the access list and static commands in the security appliance.

Note: In general, all ports are blocked from the Lower Security Zone to the Higher Security Zone, and all ports are open from the Higher Security Zone to the Lower Security Zone providing that the stateful inspection is enabled for both inbound and outbound traffic.

Community Member

Re: Ports showing open on ASA appliance

hi

could be becoz of following reason.

E-mail proxies extend remote e-mail capability to WebVPN users. When users attempt an e-mail session via e-mail proxy, the e-mail client establishes a tunnel using the SSL protocol.

The e-mail proxy protocols are as follows:

POP3S

POP3S is one of the e-mail proxies WebVPN supports. By default the Security Appliance listens to port 995, and connections are automatically allowed to port 995 or to the configured port. The POP3 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the POP3 protocol starts, and then authentication occurs. POP3S is for receiving e-mail.

IMAP4S

IMAP4S is one of the e-mail proxies WebVPN supports. By default the Security Appliance listens to port 993, and connections are automatically allowed to port 993 or to the configured port. The IMAP4 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the IMAP4 protocol starts, and then authentication occurs. IMAP4S is for receiving e-mail.

SMTPS

SMTPS is one of the e-mail proxies WebVPN supports. By default the Security Appliance listens to port 988, and connections are automatically allowed to port 988 or to the configured port. The SMTPS proxy allows only SSL connections on that port. After the SSL tunnel establishes, the SMTPS protocol starts, and then authentication occurs. SMTPS is for sending e-mail.

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/vpn_emai.html#wp1176567

HTH

171
Views
0
Helpful
2
Replies
CreatePlease to create content