This may seem like a strange question but i just wanted to clarify the Pix behavour for blocking traffic.
If you apply your access list to allow port 80/443 and then deny everything else (i know there is an explicit deny but i still like to add it for logging), the firewall does just drop all packets unless on these two ports ?
Reason i am asking is because i am doing a port scan on the firewall to test the access-list policy and using nmap "nmap -sS -T -p0 host" is coming up with a strange result.
"(The 1227 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
135/tcp Filtered msrpc
179/tcp Filtered bgp
443/tcp Open https"
There are two odd results here, first the one stating the 1227 ports are in state: Closed. According the insecure.org, this happens when the ports are accessible but no application is responding. If the Pix firewall just dropped these packets, it should be showing up as Filtered.
Is there something extra that needs to be done to drop packets or is it done by default and this is just a strange thing with NMAP ?
Your PIX config is right, it is really straight forward. Personally, I had some bad experience with NMAP, and I would reckon that the dodgy result has something to do with the NMAP engine.
If you doubt that applications are opened but not configured on hosts, you can verfiy that by running one of these services on your internal host(s), lets say FTP and then telnet to that host using port 21 and you will see that it will not respond, and even you can track this session using syslog messages and the "match counter" in your access list.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :