Defeating NMAP?

Unanswered Question
Jan 14th, 2009


Is there a way to keep nmap from scanning the network?

What I have is a wireless access point, and I have an acl on the radio that denies access to any of our internal subnets. This works great. I can't ping any of my internal networks from the guest side which is what I want.

BUT, I can use nmap and scan all of my internal subnets and get back names, ip addresses, open ports, etc. Is there a way to avoid this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 01/14/2009 - 14:00


Do you mean when you use nmap from the same side of the AP that you test ping from ?

If so what traffic are you allowing through on your acl ?


John Blakley Wed, 01/14/2009 - 14:06

Yes. When I'm connected to the guest side (, I can't ping anything. That's what I want, but I can run nmap and get everything back.



Cannot ping (router)

Cannot ping (switch)

Can ping (dhcp/dns server)

Cannot ping (AS400)

Run nmap and everything shows up.

My acl is applied inbound on the radio, and it looks like:

permit udp any any eq bootps (41 matches)

permit tcp any any established

permit udp host eq domain (76 matches)

deny ip (281 matches)

deny ip

deny ip

permit ip any (542 matches)

Thanks Jon,


Jon Marshall Wed, 01/14/2009 - 14:12


Apologies if i'm asking the question you are asking me but do you know which lines nmap is getting through on. I would expect it to be getting through on the "permit tcp any any established" but there are no hits showing there.

What options are you running from nmap - ie. what TCP flags are you setting etc.

Have used nmap before and it was a damn clever tool when i used it and that was a while back.

Bear in mind that nmap often tries to ping the device first but it doesn't seem as that is what you are doing.


John Blakley Wed, 01/14/2009 - 14:19

For this test, I was just using the command line:

nmap -sP

That tells nmap to ping everything. There's an option in nmap -P0 which tells nmap to not ping, but assume the host is up and start sending SYN packets. I didn't even have to do that.


Jon Marshall Wed, 01/14/2009 - 14:35


Nmap -sP sends an ICMP probe but also a TCP ACK packet to port 80 so i was wondering if it got through with the "permit tcp any any established" because all the "established" keyword does is look for an ACK in the packet. But there are no hits on that line which is confusing.

Perhaps you could remove that line and retest.

If it still shows everything can you post output of nmap run.


John Blakley Wed, 01/14/2009 - 14:43

Okay, I'll have to set up a test site here in my office because that was at another location today. I'll let you know, but it may be Friday before I can test it.

Thanks Jon!



This Discussion