Port scanning "outside" interface of ASA

Unanswered Question
Nov 8th, 2008


I'm using nmap and Nessus to port scan the external facing IP range of my ASA. When I port scan the "outside" IP my syslog server fills up with deny errors which is great. However I have other external IP's which are NAT'd to webservers on my Cisco 3750 which is trunked of the ASA and these never appear in the syslog server.

It could be just my understanding but the firewall's ACL's/ACE's are doing all the blocking so shouldn't the deny's be appearing in the ASDM console or syslog server saying they have denied access from a remote IP? It only shows the firewalls "outside" interface IP.

My "outside" interface is simply connected to our ISP's Cisco Internet router and we have 20 public IP's to assign to various roles like webserver etc.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ray_stone Sat, 11/08/2008 - 21:17

Hi, Please try to add ICMP inspection in default_inspection.


whiteford Sun, 11/09/2008 - 00:01


This is what I already have:

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error

whiteford Sun, 11/09/2008 - 00:17

What parts do you need as I have to rename so much for security reasons?

Do you think the ASA should be picking up these ports scans which are "aimed" at other devices, which go through the ASA?

ray_stone Sun, 11/09/2008 - 00:28

It depends on your configuration that what you have allowed or denied. Pl. post your conf and you can hide or change details.


This Discussion