Backup Exec Through The ASA

• By Joe Astorino
• May 19, 2011
• No Comments

I thought I would write up a quick post on my experiences in getting Backup Exec 2010 R2 to function through a Cisco ASA firewall this morning.

For the uninitiated, Backup Exec is a software package from Symantec for doing enterprise server backups. I am not a server guy or backup guy, nor do I claim to be. I do know that there are two basic pieces to the system. There is a backup exec server and one or more backup exec agents. The agents run on the computers that need to be backed up to the server.

In this particular case, I had just finished implementing a new ASA firewall pair in one of our European offices. The firewall contains an inside, outside and DMZ interface. There is a Microsoft Exchange OWA box that sits in that DMZ and that needs backed up via backup exec to a backup exec server on the inside network. Much to my dismay, I received a call this morning from my European counterpart explaining that backups for the OWA box were failing immediately after starting. After digging into it a bit, here is what I found regarding Backup Exec 2010 R2

• The more “official” looking document here I found to be somewhat cryptic.  It seemed to indicate that initial communications from server to client were on TCP 1000 yet the port requirements list and other information on the internet suggested that the port was actually TCP 10000. The port requirements list that is linked to from that document is not very clear at all with regards to what side initiates the communications.  There are also a lot of ports there that are not necessarily needed (Like windows SMB stuff)

• The document provided here was much easier to read and provided a clear concise explanation.  It was from this document that I discovered the information I needed

• When a backup job starts, the backup exec server initiates a TCP connection to the agent on TCP 10000.

• After the initial communication on TCP 10000 the server will communicate to the client on a random TCP port allocated by the backup exec server. OK.  If you are a firewall administrator “randomly allocated ports” is sort of a nightmare.  However…

• The backup exec 2010 software has an option where you can tell it to use a static range of ports that you define instead of dynamically allocating them.  Follow the instructions below (copied from the link I provided) to accomplish that.  It recommends you open up two ports for each simultaneous backup job that may be going on.

-Open the Backup Exec Administrator
-From the “Tools” menu, select “Options”
-Select “Network and Security”
-Select “Enable remote agent TCP dymanic port range”
-Enter a start & stop value for TCP ports
-Make the range at least 25 ports, or 2 ports per active backup operation- whichever is larger
-Make the ports a large value, and unused by anything else on the server. For example: ports 20,000 – 20,024

With this information, I created the following configuration for my ASA. Yes, I use a lot of object groups. I like that strategy, because at the moment they only have a single box in the DMZ that needs backed up but if they ever add more I can simply add a host to the “Backup_Exec_Servers” object-group. I use object-groups for single servers so the rules are easier to read and for others to understand.

object-group network BAKEXEC01
 network-object host 172.16.1.35
!
object-group network DMZ_owa
 network-object host 172.16.250.11
!
object-group network Backup_Exec_Servers
 group-object BAKEXEC01
!
object-group network DMZ_Backup_Exec_Agents
 group-object DMZ_owa
!
object-group service Backup_Exec_tcp tcp
 port-object eq 10000
 port-object eq 6101
 port-object range 20000 20024
!
!
access-list acl_inside extended permit tcp object-group Backup_Exec_Servers object-group DMZ_Backup_Exec_Agents object-group Backup_Exec_tcp

And with that, fully functioning backups!