Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AIP-SSM reconnaissance question

Hi,

I am doing some NMAP regular recoinnassance tests through our ASA w/IPS.  These tests are unfortunately going through the IPS even after enabling drop on signatures 3002, 2157, and 4003.  Wireshark applications show that NMAP uses tcp as opposed to UDP specified on signature 4003.

Please assist.

4 REPLIES
Cisco Employee

Re: AIP-SSM reconnaissance question

You can customize the signature based on TCP.

PK

New Member

Re: AIP-SSM reconnaissance question

Mark,

Have you modified the ASA's ACLs to allow all ports?  Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.

New Member

Re: AIP-SSM reconnaissance question

Hi,

No ACL dropping packets.  With the IPS on in fail-open, nmap scans still go through.

Please advise.

Cisco Employee

Re: AIP-SSM reconnaissance question

Is the IPS configured in promiscuous or inline mode?

What is the event action for the signature# that matches the NMAP traffic?

289
Views
0
Helpful
4
Replies
CreatePlease to create content