I came across a somewhat unusual issue earlier this week whilst trying to setup a NAT entry to forward HTTP traffic over port 2000. The firewalls being used were a pair of Cisco ASA 5505s. The relevant configuration was pretty straightforward:
object-group service AllowedPorts service-object tcp eq 2000 access-list outside-in extended permit object-group AllowedPorts any host 1.1.1.1
When trying to pass HTTP traffic to 1.1.1.1 over port 2000, the TCP connection would establish and eventually a TCP RST would be received. But no data would actually be transferred. Running the service on a port other than 2000 worked fine.
Looking at the IANA port list, port 2000 is used by Cisco SCCP. By default inspection of various protocols is enabled, including SCCP/Skinny:
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp
I decided to try disabling the inspection and see if that made a difference:
CiscoASA# conf t CiscoASA(config)# policy-map global_policy CiscoASA(config-pmap)# class inspection_default CiscoASA(config-pmap-c)# no inspect skinny
Suddenly traffic on port 2000 works as expected. In my particular case I turned inspection back on and decided to just use a different TCP port, but this will no doubt help someone out there!
You can disable inspection for Skinny and this will also resolve the issue. The better option would be to change the port where possible.
Which is exactly what I did.
Thanks. I tried worked.