Cannot Connect to TCP Port 2000 (Even over VPN)


KB ID 0000027 Dtd 26/03/09


Note: When going through a Cisco Firewall.

Even with all ports open you cannot connect to an application or website that uses TCP Port 2000, TCP Port 2000 allthough above the "well Known" range (i.e. above 1024) is used for SCCP (skinny client control protocol) which is a Cisco voice / phone protocol. If you push web traffic through this port – the firewall gets upset.


Option 1 (Via Command Line)

So first, look at your config for the lines arrowed in red.

{{{{{{{{{{{{{{{{{removed to save space}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
policy-map global_policy <--------
class inspection_default <--------
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny <--------
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect esmtp
{{{{{{{{{{{{{{{{{removed to save space}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

To remove the above via command line;

CiscoASAl# conf t 
CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default 
CiscoASA(config-pmap-c)# no inspect skinny

Petes Technical Ninja tip: “show run policy-map” will show you the policy without scrolling through the config

Option 2 (Via the ASDM)

1. Lanch the ADSM > Select Configuration > Firewall > Service Policy Rules > Global Policy > Inspection Default > Edit.

2. Select the Rule Actions Tab > Untick SCCP (skinny) > OK

ASDM Disable Skinny Click for larger Image

3. File > Save running configuration to flash.


Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On