The situation is this: i have two servers published to the internet using my pix (with a static nat) and with an access-list i have allowed access to them only to the http and smtp port but when you make a telnet lets say to the port 1024 wich is not allowed on your MS-DOS window you get a "black screen" that gives you the impresion that the port is open but it is not, actually i see the denied packets on the monitoring of the pix.

I know that the pix is blocking that traffic, wich is correct, but that impresion of the port open is causing me problems with the information security department, because they say that the "see" that i have all the ports open but they are not.

That's why i put those commands, to send the tcp reset and get the normal message when you make a telnet to an ip address to a port that is blocked.

I'm sorry, but your security department are way off, getting a black screen in dos does not mean anything, use a port scanner, or some other tool like nmap to test with. Also, if you care about security you don't want to send tcp resets when you are blocking something, this will tell the scanner that the port is actively being blocked ie. that there is a firewall or router acl.

Hi, i just did a test with nmap and the report of the scan says that "all" the ports are open (from 1 to 65535) but in the monitoring of my pix i see all the "denies" of the huge amount of ports that are blocked.

what do you think could be causing this condition?

Thanks in advance.

That is just not possible - if you have a machine on the "outside" of your firewall and ALL ports are comming back as open - then you are using nmap incorrectly.

Hi,

I know this sounds like not possible, but i did the same port scanning with nmap to two different hosts in different networks and my host showed all the ports open but i saw all the traffic blocked on the monitoring of the pix, and in the other host that is on a different network it showed only 3 ports open and those ports are the ones that are allowed.

That's why i'm thinking that this maybe could be a Pix version problem, my pix has 7.2(2) version.

Any other ideas???

Thanks in advance.

Hold on - you state "nmap to two different hosts in different networks and my host showed all the ports open" and "and in the other host that is on a different network it showed only 3 ports open and those ports are the ones that are allowed"

This indicates to me, that you first host is allowed ALL access, and something is not correct.

I do not see this as a version issue - more with your topology and configuration.

I have 6 devices running 7.2(2) and have performed nmap scans from outside and various other network positions - and the testing outcome was as expected.

Maybe i wrote it in a cofusing way, what i wanted to say is that i performed the nmap test to the host in my network with the result of all ports open (but i saw the traffic being denied to not allowed ports by the pix) and the other host was a mail server that in on a completely different network infrastructure.

My topology is simple, just and internet link on the outside interface and my servers on a DMZ, a static nat from DMZ to outside and an access-list allowing just the ports that i want to.

what confuses me is the fact that i see the traffic being denied by the pix, but the port scanning is showing me all the ports open.

I'm doing a regular scan with Nmap 5.00