KB ID 0000027
Problem
Note: When going through a Cisco Firewall.
Even with all ports open you cannot connect to an application or website that uses TCP Port 2000, TCP Port 2000 allthough above the “well Known” range (i.e. above 1024) is used for SCCP (skinny client control protocol) which is a Cisco voice / phone protocol.
If you push web traffic through this port – the firewall gets upset.
Solution
Option 1 (Via Command Line)
So first, look at your config for the lines arrowed in red.
{{{{{{{{{{{{{{{{{removed to save space}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
policy-map global_policy <--------
class inspection_default <--------
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny <--------
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect esmtp
{{{{{{{{{{{{{{{{{removed to save space}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
To remove the above via command line;
CiscoASAl# conf t CiscoASA(config)# policy-map global_policy CiscoASA(config-pmap)# class inspection_default CiscoASA(config-pmap-c)# no inspect skinny
Petes Technical Ninja tip: “show run policy-map” will show you the policy without scrolling through the config
Option 2 (Via the ASDM)
1. Lanch the ADSM > Select Configuration > Firewall > Service Policy Rules > Global Policy > Inspection Default > Edit.
2. Select the Rule Actions Tab > Untick SCCP (skinny) > OK
3. File > Save running configuration to flash.
Related Articles, References, Credits, or External Links
NA
