Cisco ASA 5505 and TCP port 2000 Skinny Inspection (SCCP)

I recently migrated a pair of ATMs from behind a Microsoft Threat Management Gateway to a Cisco ASA.  During this cutover, the change was done very quickly so the VPN traffic for the ATMs was not interrupted. [more]

A few weeks later the ATMs started having problems when the Internet connection was disrupted. The VPN tunnels were connected, but the ATM provider was receiving reset packets from the ATMs. I discovered the ATMs were communicating with the ATM provider using TCP port 2000.

Normally TCP 2000 is used by the Cisco Skinny Client Control Protocol (SCCP) and traffic inspection for SCCP is enabled on the ASA by default.  The packet resets stopped after removing SCCP inspection from the global policy list.

To disable SCCP inspection on the ASA:

CiscoASA# conf t

CiscoASA(config)# policy-map global_policy

CiscoASA(config-pmap)# class inspection_default 

CiscoASA(config-pmap-c)# no inspect skinny

Networking Cisco firewall