I scanned my PIX 515 firewall (running 5.1(3) using this software (ISS Internet Scanner) which has a database that lists vulnerablilites,etc. Well when it scanned us (I had a box on the outside scanning our outside interface) it said that there was a port open. Port 513/udp! What in the world? I do not specifically have that port open (it is for who which shows load on the hardware) It also said that I have a vulnerability...traceroute can go through the firewall. I don't understand this. Does anyone have any clues on this? Do the two "problems" I have anything to do with each other? How can I plug these up?
Start by moving off 5.1(3). There are a few security advisories at http://www.cisco.com/warp/public/707/advisory.html that might be reason to move to some newer code. PIX opens and closes ports dynamically all the time. Do you always get this 513 UDP open? ICMP is blocked by default. If you have a conduit permit icmp any any in your config, this could cause that problem. Again, start by upgrading and go from there.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...