Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port scan

We have a regional network coming into our DMZ on our Pix 515. We have an IP any any rule and have not locked down what ports they need to use (AD, Exchange, File server, internet). Is there a port monitor we can use to list all the ports over some time through our DMZ? Then we can use this to lock it down.

5 REPLIES

Re: Port scan

Free online scan tool http://www.qualys.com

I don't like to put a link here for port scanner. Post your email address and I will send the link to you.

New Member

Re: Port scan

got it thanks

Hall of Fame Super Blue

Re: Port scan

Hi

Just as an alternative. You could have a

"permit ip any any log" on your pix. This would log all access on that DMZ. As you determine the ports you can modify the access-list to add in the individual port entries. Keep the permit ip any any log at the end until you have accounted for all the ports ie. all your other rules are catching the traffic and not your catch all rule.

Obviously this would generate a fair bit of logging so you'll need disk space and be aware of the additional bandwwidth being used.

HTH

Jon

New Member

Re: Port scan

For the loggin how where would I point it to? i am using ADSM?

Hall of Fame Super Blue

Re: Port scan

Hi

You would need a syslog server to point the traffic to. Do you one of these ?

Jon

343
Views
5
Helpful
5
Replies