I came across a somewhat unusual issue earlier this week whilst trying to setup a NAT entry to forward HTTP traffic over port 2000. The firewalls being used were a pair of Cisco ASA 5505s. The relevant configuration was pretty straightforward:
object-group service AllowedPorts service-object tcp eq 2000 access-list outside-in extended permit object-group AllowedPorts any host 22.214.171.124
When trying to pass HTTP traffic to 126.96.36.199 over port 2000, the TCP connection would establish and eventually a TCP RST would be received. But no data would actually be transferred. Running the service on a port other than 2000 worked fine.
Looking at the IANA port list, port 2000 is used by Cisco SCCP. By default inspection of various protocols is enabled, including SCCP/Skinny:
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp
I decided to try disabling the inspection and see if that made a difference:
CiscoASA# conf t CiscoASA(config)# policy-map global_policy CiscoASA(config-pmap)# class inspection_default CiscoASA(config-pmap-c)# no inspect skinny
Suddenly traffic on port 2000 works as expected. In my particular case I turned inspection back on and decided to just use a different TCP port, but this will no doubt help someone out there!