I would start with a question. What is telling you these ports are open? Are you scanning the outside interface?
The only strange thing I see is the "conduit permit icmp any any" amidst a config using access-lists. According to everything I've read you shouldn't mix conduits and access-lists. Besides you already have the "permit icmp any any" in your access-list. You may want to tighten that up a bit.
did you test this from outside of your organization or from the inside of your organization?
on the PIX all ports should be in a closed state unless explicitly permitted in an access-list. Also traffic should not be able to flow from an interface with a lower security level (i.e, outside) to one with a higher security level (i.e, inside) unless you explicitly permitted it. You have created an access-list and applied it to the outside interface which is good. You are only permitting mail and dns to the DMZ. Once again, how did you test this to get these results?
i would also employ the use of attack guards (ip audit)
to help against port scans (ip audit name WHATEVER info action alarm reset) from the outside, if possible and light DoS (ip audit name WHATEVER attack action alarm drop reset) and apply it to the outside interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :