Cisco ASA - finding out what ports are being used on LAN

So i have a Cisco ASA5510.  I have ACL's applied to my outbound interface for all my static NAT's, but on my inside interface its ip any any.  I want to start to lock this down by port.  What is the best way to find out what ports are currently being used on the internal network?
LVL 4
denver218Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

amac81Commented:
Typically, the ports that are on the inside have a security level of 100.  That may begin to help you.  The ports in the DMZ may have 50 and external ports are 0.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CamyCommented:
There might be better ways that someone else will advise of but "show ip nat translation" might give you a start in seeing what ports are in use at a given time.

You could also potentially setup a Netflow analyser which should give you this info and further information in the longer term? (ManageEngine do a free version and the 5510 looks like Netflow should be available with the right OS version - https://www.manageengine.com/products/netflow/download-free.html)
0
KlinkeyeCommented:
Through the ASDM, select monitoring at the top and then on the left hand side at the bottom select logging. Ensure that the logging level is set to debugging and select the View... button.

This will pop up a window and show you when traffic is blocked and allowed by your firewall rules. (Yellow is typically the ones that are blocked).

You can then investigate the yellow entries and figure out what port is being blocked, after assessing if the inside IP should be talking to the internet on that port... you can create a rule based on that information.
0
LSevenCommented:
Scream test. Make a rule to let 80/443 outbound and stop everything else. Wait and see who screams when something is broken.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.