We just set up a PIX to use in a very small data center. At this point we have two web servers that are behind the PIX, with static translations defined for both of them. All appears to be working and we can access the web servers as intended.
We are using conduits to open the www and ssl ports via this config:
conduit permit tcp any eq www any
conduit permit tcp any eq https any
conduit permit icmp any any
The icmp entry is to allow an external system to monitor the systems.
What appears odd is that when I test the two IP addresses with Glock Software's AATools port scanner, the output appears that other ports (for example, smtp and pop3) are listening. The port scanner also shows a ton of listening UDP ports.
If I try to telnet to port 25 on either system it doesn't work, so it does appear that traffic is being blocked.
Is there a reason that these tcp and udp ports would appear to be listening? I guess I thought that the only ports that would appear to be listening were the ones that were opened via the conduits.
Best thing to do is move away from conduits and only use access control lists. Cisco recommends against conduits and if you are using conduits with acl's on the same interface this can result in wierd stuff happening. You should not be able to see any other ports other then the ports that you have allowed through that interface. I'm not familiar with the soft ware that you are using so can't really give a difinitive answer to your question.
Thank you for your feedback. I also tried nmap to see what that would give me. When I probe with a SYN stealth scan, it shows that only 80 and 443 are open ports (as I would expect). However, when I probe using the Connect scan, the system shows the following:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...