Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
5
Replies

Port scans on PIX show TCP 80 open even though it's not open in ACL

rguyler
Level 1
Level 1

‎10-31-2003 10:40 AM - edited ‎02-20-2020 11:04 PM

I'm running scans against multiple PIX firewalls running both 6.3(3) and 6.2(2) code using NMap, Nessus, and GFI's scanner. All scanners show the expected ports open but also always show TCP 80 open as well, which is not open in the ACL nor statically mapped with port redirection. From my Linux box, I can telnet to the address on port 80 and get connected but of course I get no response. HTTP servers on all are disabled. I even went so far as to clear the xlate table and verify no PAT entries for HTTP in use during the scan. I just cannot figure out why these PIXes would show 80 open?

I don't believe this to be a security flaw as I can't seem to be able to do anything with this information but I do have to submit scan reports to my customers and I'm sure they will want to know why 80 shows open. I know I would...

Any ideas?

Thanks,

Rik

0 Helpful
5 Replies 5

nkhawaja
Cisco Employee
Cisco Employee

‎11-05-2003 12:18 AM

Hi,

i could not get to some definite answer to this one. But it seems like PIX does behave like that.

According to some discussions, since PIX was created with security in mind, it is one way of

spoofing outside attackers with the said port/s.

To really determine if the ports are open, try running portscan and Ethereal at the same time, then

check the results of Ethereal against that of portscan.

Thanks

Nadeem

0 Helpful

rguyler
Level 1
Level 1
In response to nkhawaja

‎11-06-2003 05:11 AM

Hmmm...interesting thought...something like a built-in honeypot? Still, I'd rather not see that function as it becomes something of a signature for the PIX. I'd rather be totally anonymous and keep them guessing.

Rik

0 Helpful

patrick.cannon
Level 1
Level 1

‎11-05-2003 06:06 PM

Is the pix web server (pdm) enabled by chance?

0 Helpful

mostiguy
Level 6
Level 6
In response to patrick.cannon

‎11-06-2003 04:09 AM

I got the same behaviour scanning a client's pix (running 6.3) with nmap-nt 3.45 from outside their network. They should have no open tcp ports - their web hosting is outsourced.

0 Helpful

rguyler
Level 1
Level 1
In response to patrick.cannon

‎11-06-2003 05:08 AM

I had the same thought too but I never use the PDM. I verified it, however, and all were disabled.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card