I am planning on running a Nessus vulnerability scan against our external IP address space. I wanted to know if we need to make any changes to our firewall configuration to permit an effective scan. We have exempted Nessus traffic from being inspected by the IPS (I thought we needed to?).
I am concerned about the firewall detecting the numerous connection attempts originating from Nessus and dropping them, any suggestions/advice will help. I know I can limit this on the Nessus config but want the scans to complete in a reasonable amount of time.
Why do you want to give exemption in ASA for external testing.
The purpose of external testing is to verify the operations firewall against reconnaissance, scanning ,attack against your network.
You do not want to this will happen on your network correct? Then what you need to test.
Check what are vulnerabilities nessus can find out without any changes to the ASA. There will be many depending on your configuration.
Then find out ways ( may require configuration changes on asa or servers) to prevent this kind of future scans.
Also there is another method of testing called internal testing , where you can test your firewall and other systems that are exposed to outside network from your internal network. This is more convienent to find out vulnerabilities than run an external scan.
If your intension is to find out vulnerabilities in DMZ servers , then it is better to go for an internal testing ( exteranl ips are NATed to inside,dmz) .
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...