IP scan of ASA5505 Outside interface shows port 443 open

dcarru · ‎10-26-2007

Remote management via ASDM/HTTPS on the Outside interface of the ASS5505 is configured and working over the Internet and is restricted to only a few host IP addresses. Access tried from any other Internet IP address does not work. However, when running a port scan from ANY Internet IP address, the ASA shows port 443 open. We have the same remote access configured for Telnet and SSH but those ports do NOT show open in a scan. How can I prevent the ASA from showing port 443 as open?

JORGE RODRIGUEZ · ‎10-26-2007

David, I have not read of a way to have an external public IP address configured on a device in the case the firewall to instruct to not show what ports is listening on or forwarding , port scanning will probe IP address until it finds one opened port but ASA have global IDS signatures funtionality to protect from DoS or other attacks. Also there are some other techniques in firewalls design where you have devices in front of firewalls to provide another layer of protection such as placing a router or IDS system before attackers even reach the firewall.

this is a good link to learn more about how to implement few of the many preventing network attacks and scanning threat detection techiques in your firewall

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1042020

HTH

Jorge

Jorge Rodriguez

dcarru · ‎10-29-2007

Thank you Jorge for your answer however, I have one additional question: Why wouldn't Telnet or SSH also show as available from the Internet like HTTPS does? I configured all 3 temporarily just to test. Thanks again.