AIP-SSM reconnaissance question

Unanswered Question
Mar 12th, 2010
User Badges:


I am doing some NMAP regular recoinnassance tests through our ASA w/IPS.  These tests are unfortunately going through the IPS even after enabling drop on signatures 3002, 2157, and 4003.  Wireshark applications show that NMAP uses tcp as opposed to UDP specified on signature 4003.

Please assist.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bnidacoc Wed, 03/17/2010 - 12:23
User Badges:


Have you modified the ASA's ACLs to allow all ports?  Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.

marcusbrutus Thu, 03/18/2010 - 11:54
User Badges:


No ACL dropping packets.  With the IPS on in fail-open, nmap scans still go through.

Please advise.

Jennifer Halim Thu, 03/18/2010 - 21:46
User Badges:
  • Cisco Employee,

Is the IPS configured in promiscuous or inline mode?

What is the event action for the signature# that matches the NMAP traffic?


This Discussion