Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA not being mapped by Qualys

We are using Qualys to map our network. The firewalls are set to allow icmp from the scanner to the x.x.x.*/24 network being mapped. For some reason when the mapping scan runs, Qualys isn't detecting the ASA 5510 as a hop in the path. We are running 8.2(1) on the ASA. I do see the hit count increase on the icmp rule during the mapping scan, so the scan is traversing the ASA, but the ASA isn't being detected except as a resource on the destination network. Is this a "working as designed" scenario, or is there some sort of "stealth" setting on the ASA which would do this, or is there something else going on?

Resources are cabled (L2) to vlans on a 6509 switch. The route is: Scanner -(vlan1)- Firewall1 -(vlan2)- ASA -(vlan3)- dest netwk (x.x.x.*/24)

Qualys map results:  Scanner - Firewall1 - 6509 Switch L3 ip addr - dest netwk (x.x.x.*/24)

Any help, ideas, or clues would be appreciated. Thank you.

1 REPLY
Cisco Employee

Re: Cisco ASA not being mapped by Qualys

Our firewalls do not show themselves as a hop in the path.  We do not decrement TTL by default.

If you need to then it has to be configured. Pls. follow this sample:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395966

-KS

334
Views
0
Helpful
1
Replies
CreatePlease to create content