01-14-2009 01:24 PM - edited 03-06-2019 03:26 AM
All,
Is there a way to keep nmap from scanning the network?
What I have is a wireless access point, and I have an acl on the radio that denies access to any of our internal subnets. This works great. I can't ping any of my internal networks from the guest side which is what I want.
BUT, I can use nmap and scan all of my internal subnets and get back names, ip addresses, open ports, etc. Is there a way to avoid this?
Thanks!
John
01-14-2009 02:00 PM
John
Do you mean when you use nmap from the same side of the AP that you test ping from ?
If so what traffic are you allowing through on your acl ?
Jon
01-14-2009 02:06 PM
Yes. When I'm connected to the guest side (10.20.1.0), I can't ping anything. That's what I want, but I can run nmap and get everything back.
Wireless: 10.20.1.0
LAN: 10.15.2.0
Cannot ping 10.15.2.1 (router)
Cannot ping 10.15.2.5 (switch)
Can ping 10.15.2.50 (dhcp/dns server)
Cannot ping 10.15.2.99 (AS400)
Run nmap and everything shows up.
My acl is applied inbound on the radio, and it looks like:
permit udp any any eq bootps (41 matches)
permit tcp any any established
permit udp 10.20.1.0 0.0.0.255 host 10.15.2.50 eq domain (76 matches)
deny ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255 (281 matches)
deny ip 10.20.1.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.20.1.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 10.20.1.0 0.0.0.255 any (542 matches)
Thanks Jon,
John
01-14-2009 02:12 PM
John
Apologies if i'm asking the question you are asking me but do you know which lines nmap is getting through on. I would expect it to be getting through on the "permit tcp any any established" but there are no hits showing there.
What options are you running from nmap - ie. what TCP flags are you setting etc.
Have used nmap before and it was a damn clever tool when i used it and that was a while back.
Bear in mind that nmap often tries to ping the device first but it doesn't seem as that is what you are doing.
Jon
01-14-2009 02:19 PM
For this test, I was just using the command line:
nmap -sP 10.15.2.0/24
That tells nmap to ping everything. There's an option in nmap -P0 which tells nmap to not ping, but assume the host is up and start sending SYN packets. I didn't even have to do that.
John
01-14-2009 02:35 PM
John
Nmap -sP sends an ICMP probe but also a TCP ACK packet to port 80 so i was wondering if it got through with the "permit tcp any any established" because all the "established" keyword does is look for an ACK in the packet. But there are no hits on that line which is confusing.
Perhaps you could remove that line and retest.
If it still shows everything can you post output of nmap run.
Jon
01-14-2009 02:43 PM
Okay, I'll have to set up a test site here in my office because that was at another location today. I'll let you know, but it may be Friday before I can test it.
Thanks Jon!
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: