Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port scans on PIX show TCP 80 open even though it's not open in ACL

I'm running scans against multiple PIX firewalls running both 6.3(3) and 6.2(2) code using NMap, Nessus, and GFI's scanner. All scanners show the expected ports open but also always show TCP 80 open as well, which is not open in the ACL nor statically mapped with port redirection. From my Linux box, I can telnet to the address on port 80 and get connected but of course I get no response. HTTP servers on all are disabled. I even went so far as to clear the xlate table and verify no PAT entries for HTTP in use during the scan. I just cannot figure out why these PIXes would show 80 open?

I don't believe this to be a security flaw as I can't seem to be able to do anything with this information but I do have to submit scan reports to my customers and I'm sure they will want to know why 80 shows open. I know I would...

Any ideas?

Thanks,

Rik

5 REPLIES
Cisco Employee

Re: Port scans on PIX show TCP 80 open even though it's not open

Hi,

i could not get to some definite answer to this one. But it seems like PIX does behave like that.

According to some discussions, since PIX was created with security in mind, it is one way of

spoofing outside attackers with the said port/s.

To really determine if the ports are open, try running portscan and Ethereal at the same time, then

check the results of Ethereal against that of portscan.

Thanks

Nadeem

New Member

Re: Port scans on PIX show TCP 80 open even though it's not open

Hmmm...interesting thought...something like a built-in honeypot? Still, I'd rather not see that function as it becomes something of a signature for the PIX. I'd rather be totally anonymous and keep them guessing.

Rik

New Member

Re: Port scans on PIX show TCP 80 open even though it's not open

Is the pix web server (pdm) enabled by chance?

Silver

Re: Port scans on PIX show TCP 80 open even though it's not open

I got the same behaviour scanning a client's pix (running 6.3) with nmap-nt 3.45 from outside their network. They should have no open tcp ports - their web hosting is outsourced.

New Member

Re: Port scans on PIX show TCP 80 open even though it's not open

I had the same thought too but I never use the PDM. I verified it, however, and all were disabled.

117
Views
0
Helpful
5
Replies
CreatePlease login to create content