Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
4
Replies

AIP-SSM reconnaissance question

marcusbrutus
Level 1
Level 1

‎03-12-2010 01:08 PM - edited ‎03-10-2019 04:55 AM

Hi,

I am doing some NMAP regular recoinnassance tests through our ASA w/IPS.  These tests are unfortunately going through the IPS even after enabling drop on signatures 3002, 2157, and 4003.  Wireshark applications show that NMAP uses tcp as opposed to UDP specified on signature 4003.

Please assist.

Labels:
0 Helpful
4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

‎03-16-2010 01:23 PM

You can customize the signature based on TCP.

PK

0 Helpful

bnidacoc
Level 1
Level 1

‎03-17-2010 12:23 PM

Mark,

Have you modified the ASA's ACLs to allow all ports?  Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.

0 Helpful

marcusbrutus
Level 1
Level 1
In response to bnidacoc

‎03-18-2010 11:54 AM

Hi,

No ACL dropping packets.  With the IPS on in fail-open, nmap scans still go through.

Please advise.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to marcusbrutus

‎03-18-2010 09:46 PM

Is the IPS configured in promiscuous or inline mode?

What is the event action for the signature# that matches the NMAP traffic?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card