Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using tcp port 0?

12 years as a firewall guy... and this is a first for me.

I have a request to allow firewall access to an app that apparently uses tcp port 0.  I thought it didn't exist... but good-ol' google proved that wrong.  I did find this comment:  " Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications. "

Just out of curiosity, anyone implemented an acl using port 0 before?  Any issues on the ASA side?



Cisco Employee

Using tcp port 0?

Dear Mike,

You are right. As per IANA port numbers assignment, this is a TCP port is a reserved port.

Moreover, the ACL command does not permit you to define a port of 0 .

Here's a test from my lab ASA:

HTTS-R1-ASA5510-01(config)# $ host eq 1 host eq ?

configure mode commands/options:
  <1-65535>        Enter port number (1 - 65535)

HTTS-R1-ASA5510-01(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.2(3)

I also see that a syslog message is generated in this regard:

Error Message %ASA-4-500004: Invalid transport field for protocol=protocol,

from source_address/source_port to dest_address/dest_port

Explanation This message appears when there is an invalid transport number,
in which the source or destination port number for a protocol is zero.

The protocol value is 6 for TCP and 17 for UDP and therefore a tcp or udp
packet with source or destination port 0 is a malformed request.

Recommended Action If these messages persist, contact the administrator of
the peer.

So port 0 definitely looks like a very unusual thing.

Cisco Employee

Using tcp port 0?

Just wanted to append the outputs on FWSM as well where the same limitiation exists:

VL-QN-FW002/test-ne(config)# $rmit tcp host eq ?

configure mode commands/options:

  <1-65535>        Enter port number (1 - 65535)

VL-QN-FW002(config)# show ver | inc 4.0

FWSM Firewall Version 4.0(15)

The FWSM system log message ID is the same agian (500004).

This syslog message would be generated when port 0 destined traffic is already allowed through the firewall (not within an acl permitting port 0 of course but a more generic acl that does not contain the port number and permits in general ip/tcp traffic).