Cisco ASA NAT problems with TCP Port 2000

I came across a somewhat unusual issue earlier this week whilst trying to setup a NAT entry to forward HTTP traffic over port 2000. The firewalls being used were a pair of Cisco ASA 5505s. The relevant configuration was pretty straightforward:

object-group service AllowedPorts
 service-object tcp eq 2000 
access-list outside-in extended permit object-group AllowedPorts any host 1.1.1.1

When trying to pass HTTP traffic to 1.1.1.1 over port 2000, the TCP connection would establish and eventually a TCP RST would be received. But no data would actually be transferred. Running the service on a port other than 2000 worked fine.

Looking at the IANA port list, port 2000 is used by Cisco SCCP. By default inspection of various protocols is enabled, including SCCP/Skinny:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp

I decided to try disabling the inspection and see if that made a difference:

CiscoASA# conf t 
CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default 
CiscoASA(config-pmap-c)# no inspect skinny

Suddenly traffic on port 2000 works as expected. In my particular case I turned inspection back on and decided to just use a different TCP port, but this will no doubt help someone out there!

Published by

Dave Hope

Dave is a Principal Software Analyst for a UK based retirement developer, in his spare time he enjoys digital photography and rock climbing.

3 thoughts on “Cisco ASA NAT problems with TCP Port 2000”

  1. You can disable inspection for Skinny and this will also resolve the issue. The better option would be to change the port where possible.

Leave a Reply

Your email address will not be published. Required fields are marked *