Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Port scanning "outside" interface of ASA

Hi,

I'm using nmap and Nessus to port scan the external facing IP range of my ASA. When I port scan the "outside" IP my syslog server fills up with deny errors which is great. However I have other external IP's which are NAT'd to webservers on my Cisco 3750 which is trunked of the ASA and these never appear in the syslog server.

It could be just my understanding but the firewall's ACL's/ACE's are doing all the blocking so shouldn't the deny's be appearing in the ASDM console or syslog server saying they have denied access from a remote IP? It only shows the firewalls "outside" interface IP.

My "outside" interface is simply connected to our ISP's Cisco Internet router and we have 20 public IP's to assign to various roles like webserver etc.

5 REPLIES
Community Member

Re: Port scanning "outside" interface of ASA

Hi, Please try to add ICMP inspection in default_inspection.

Ray

Community Member

Re: Port scanning "outside" interface of ASA

Hello,

This is what I already have:

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error

Community Member

Re: Port scanning "outside" interface of ASA

Can you please post your conf?

Community Member

Re: Port scanning "outside" interface of ASA

What parts do you need as I have to rename so much for security reasons?

Do you think the ASA should be picking up these ports scans which are "aimed" at other devices, which go through the ASA?

Community Member

Re: Port scanning "outside" interface of ASA

It depends on your configuration that what you have allowed or denied. Pl. post your conf and you can hide or change details.

460
Views
0
Helpful
5
Replies
CreatePlease to create content