Re: ports go from stealth to closed or blocked on on scans after

eric_garnel · ‎10-07-2002

I just upgraded a clients' pix from 6.0.1 to 6.2.2 sw and just for kicks, we went to a few online scan services such as grc and sygate to run a few scans against the PIX. Prior to the upgrade, any port showeed up as stealth or blocked. After the upgrade, we ran the tests again and the ports showed up as "closed".

WTF?

Granted, many online tests have to be taken with a grain of salt per their results, but still, it was quite shocking to the client. I rolled the pix back to 6.01 and re-ran the same tests, now they come back as stealth or blocked.

dejarman · ‎10-08-2002

Beginning in PIX Software version 5.2.1, ICMP is still permitted by default, but PIX ping responses from its own interfaces can be disabled with the icmp command (that is, a "stealth PIX"):

icmp permit|deny [host] src_addr [src_mask] [type] int_name

http://www.cisco.com/warp/public/110/31.html#pingown

eric_garnel · ‎10-08-2002

That is great for icmp, but it doesn't answer the original question.

icmp has been "locked" down on this particular pix

rstaaf · ‎10-08-2002

Have you compared the config file from the 6.0.1 install to the config after the 6.2.2 upgrade to make sure that nothing has changed? I am not talking about the PDM, go in and print out the config and compare line for line. Also, what are you actually scanning, clients behind the pix or the outside interface of the pix?

Bob Staaf

Southern Web Services

Central, SC

eric_garnel · ‎10-09-2002

The config is the same except for an alias command for 1 web server. I am referring to the outside interface of the pix. can't use the pdm with the alias command (prefer the cli anyway) and will replace the alias later on with the new DNS (nat?) feature. I will venture a guess that it may have to do with the new bi-directional nat feature.

ports go from stealth to closed or blocked on on scans after pix upgrade