What ports do I allow over my internal firewall interface?

Question

I have a Cisco ASA that I have VPN tunnels to connect my internal Windows network. I ran into some trouble logging into my domain so I unblocked all the ports on that internal interface. On a previous question posted here, the general consensus was that I should be blocking ports on my inside interface but my question is: what ports should I unblock? I've tried unblocking ports 88, 139, 135, 389, and 445 and Windows logins still give me problems. Is there some MS documentation somewhere that tells me what I need to unblock to allow Windows logins and other things?

When you unblocked all ports on the internal interface, did domain authentication worked? — gravyface, Dec 28 '10 at 19:01
yup. I could add a computer to the domain and login just fine — blsub6, Dec 28 '10 at 19:47

score 1 · Accepted Answer · answered Dec 29 '10 at 16:27

Set your ASA to log DENY's, and then check your logs. That should give you a very clear indication of what boxes are trying to talk to what destinations. From there, you can determine if the activity looks legitimate and reasonable, and if so, you can add a line to permit the traffic.

Continue with this process until everything works properly.

(There may be a Windows document somewhere that does provide the information you're looking for, but I don't know what it is offhand. The above described process is what I typically follow when I know an application needs some sort of network access, but I don't know what ports are required.)

score 0 · Answer 2 · edited Dec 28 '10 at 23:07

0

rules are added to rulesets and rulesets are applied to the interface on which the traffic will ingress on. So if you're on the inside then the traffic originating from your machine will ingress on the "inside" interface and need to traverse elsewhere.

A rule in that ruleset allowing LDAP might look something like this:

access-list INSIDEACL permit tcp object-group INSIDE-NETWORKS object-group VPN-NETWORKS eq ldap

here's a really loose version of the same rule:

access-list INSIDEACL permit tcp any any eq ldap

and some syntax for you:

access-list *accesslistname* *protocol* *source* *destination* *port*

objects and object groups are used to make your configuration easier to work with. remember rules are matched top down with an implicit deny at the bottom!

edited Dec 28 '10 at 23:07

Ben Pilbrow

12,041
5
36
57

answered Dec 28 '10 at 22:33

SpacemanSpiff

8,753
1
24
35

boy am i terrible at the text editor... i think you get the idea. – SpacemanSpiff Dec 28 '10 at 22:35
I fixed your formatting for you. For reference, the backtick (`) is very useful for one-line code snippets like yours. – Ben Pilbrow Dec 28 '10 at 23:08

score 0 · Answer 3 · answered Jan 14 '11 at 11:13

Like Christopher Cashell says you need to log the traffic to know what is required by all your systems. Given that your business may not accept a DENY rule that blocks all traffic while you figure out what is required, you could set a PERMIT rule instead, and log what is permitted, and analyse that. You can then use that to set up more specific PERMIT rules and then switch on the DENY as the last rule for that interface. That way you are only allowing the traffic you permitted.

Microsoft documentation should give you the ports their systems need - but your going to have to hunt them down for each application you are using.

What ports do I allow over my internal firewall interface?

3 Answers3