KB ID 0000027
Problem
Note: When going through a Cisco Firewall.
Even with all ports open you cannot connect to an application or website that uses TCP Port 2000, TCP Port 2000 allthough above the “well Known” range (i.e. above 1024) is used for SCCP (skinny client control protocol) which is a Cisco voice / phone protocol.
If you push web traffic through this port – the firewall gets upset.
Solution
Option 1 (Via Command Line)
So first, look at your config for the lines arrowed in red.
[box]
{{{{{{{{{{{{{{{{{removed to save space}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} policy-map global_policy <-------- class inspection_default <-------- inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny <-------- inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect esmtp {{{{{{{{{{{{{{{{{removed to save space}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
[/box]
To remove the above via command line;
[box]
CiscoASAl# conf t CiscoASA(config)# policy-map global_policy CiscoASA(config-pmap)# class inspection_default CiscoASA(config-pmap-c)# no inspect skinny
[/box]
Petes Technical Ninja tip: “show run policy-map” will show you the policy without scrolling through the config
Option 2 (Via the ASDM)
1. Lanch the ADSM > Select Configuration > Firewall > Service Policy Rules > Global Policy > Inspection Default > Edit.
2. Select the Rule Actions Tab > Untick SCCP (skinny) > OK
3. File > Save running configuration to flash.
Related Articles, References, Credits, or External Links
NA