Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP 402 blocked by ASA firewall

Hi,

We use Altiris between two VPN sites protected by a Cisco PIX (8.0) and an ASA (8.0).

Altiris communicates some multicast traffic on tcp port 402, but this traffic get blocked by the firewalls with this message:

%pix-6-106015: deny tcp (no connection) from x.x.x.x/4597 to x.x.x.x/402 flags psh ack on interface inside

I've looked through the IP audit signatures and the service policy rules, but the port 402 does not appear anywhere.

Does anyone have a clue?

Thanks in advance,

Rasmus

8 REPLIES
New Member

Re: TCP 402 blocked by ASA firewall

I should mention that the whole IP stack has been allowed both ways through this connection. Somehow this port (recoqnized as "genie" but used by Altiris multicast) is blocked on the way.

New Member

Re: TCP 402 blocked by ASA firewall

Hi,

You could write an access-list to specifically allow communication on port 402. The example below allows hosts to communicate via port 402:

access-list outside_access_in permit tcp any host 217.x.x.115 eq 402

ip address outside 217.x.x.115 255.255.255.248

static (inside,outside) 217.x.x.115 192.168.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

If you could post your config too, I can take a look to see if anything else is missing.

Please rate this post if it helps.

New Member

Re: TCP 402 blocked by ASA firewall

But when the access list already in place permit ip any any (roughly) would that make a difference at all?

I'll get back to you with an edited edition of the config.

Thanks for your reply.

New Member

Re: TCP 402 blocked by ASA firewall

Have you looked at your inspect statements? I would take out the global_policy for a test.

Jake

New Member

Re: TCP 402 blocked by ASA firewall

Is it just the multicast traffic that is getting blocked? You might have to have the ASA route the multicast traffic.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/multicst.html#wp1062430

--Gavin Budd

New Member

Re: TCP 402 blocked by ASA firewall

I tried specifically adding rules to allow port 402 (though the whole IP stack has been permitted), and there was no difference.

I have now enabled multicast routing, so lets see if that changes anything. I will get back to you :)

Thanks for all you answers,

Rasmus

New Member

Re: TCP 402 blocked by ASA firewall

Tried enabling multicast routing but it makes no difference :(

Any last suggestion? I'm going out of my mind - there's nothing about tcp port 402 in the security policies (deep inspection) and still this port gets blocked.

Thanks in advance,

Rasmus

New Member

Re: TCP 402 blocked by ASA firewall

please try use sniffer capture data,skip ASA and use sniffer capture data,analyse both differ.

755
Views
0
Helpful
8
Replies