We have multiple sites. In some locations, we have a PIX515 behind a 1720 Router. In others, we have only a 1721 with the Firewall Software Set installed (c1700-k9o3sy7-mz.122-11). All equipment was installed and configured by a channel partner with whom we are no longer working. I have been reviewing and learning about the configs, but am by no means an expert.
Using the ShieldsUp port scanner available at www.grc.com, the PIX configurations show all ports in "Stealth" mode. This means that the PIX does not even respond when the ports are scanned.
The 1721 configs however, do respond to the port scanner but do not pass the traffic. This is "closed" in ShieldsUp terminology. We would prefer the "stealth" performance.
The only thing that jumps out at me in the configs is that the 1721 does not have any FIXUP protocols running.
What is the difference, or what could be missing from the 1721 configuration?
I presume (without seeing your config) that you have the following command on the PIX : icmp deny any outside - basically by using this command you are saying to deny any ICMP traffic on the outside interface thus if any scanners try to scan your network the PIX will go into 'stealth' mode or become invisible to the outside world.
I'm glad to see that you used Steve Gibsons www site for your testing.
Can you post your config of the 1721 but please remember to change 'real' IP's and passwords or if you like you can post off-line to me direct - firstname.lastname@example.org
You are not missing anything.. "ShieldsUP Port Scanner" will indicate a Stealth status as a normal behavior of a PIX with NAT/PAT configured in responce to port probes, even if you are allowing ICMP packets to pass the PIX to the network, this won't help.. And it has nothing to do with fixup as well.
The "Stealth" status indicate as far as I believe a possible NAT/PAT operation.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :