cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
835
Views
0
Helpful
5
Replies

Port scanning "outside" interface of ASA

whiteford
Level 1
Level 1

Hi,

I'm using nmap and Nessus to port scan the external facing IP range of my ASA. When I port scan the "outside" IP my syslog server fills up with deny errors which is great. However I have other external IP's which are NAT'd to webservers on my Cisco 3750 which is trunked of the ASA and these never appear in the syslog server.

It could be just my understanding but the firewall's ACL's/ACE's are doing all the blocking so shouldn't the deny's be appearing in the ASDM console or syslog server saying they have denied access from a remote IP? It only shows the firewalls "outside" interface IP.

My "outside" interface is simply connected to our ISP's Cisco Internet router and we have 20 public IP's to assign to various roles like webserver etc.

5 Replies 5

ray_stone
Level 1
Level 1

Hi, Please try to add ICMP inspection in default_inspection.

Ray

Hello,

This is what I already have:

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error

Can you please post your conf?

What parts do you need as I have to rename so much for security reasons?

Do you think the ASA should be picking up these ports scans which are "aimed" at other devices, which go through the ASA?

It depends on your configuration that what you have allowed or denied. Pl. post your conf and you can hide or change details.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: