https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4306833#M566103 <P>This sounds like an ACL issue on the WLC as stated by <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/321306">@Francesco Molino</a> .</P> <P>&nbsp;</P> Sat, 13 Mar 2021 19:50:20 GMT thomas 2021-03-13T19:50:20Z https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4303539#M565959 <P><SPAN>Hello Team</SPAN></P><P><SPAN>Please how to Block NMAP port Scanning from Guest wireless Network ?</SPAN></P><P><SPAN>I have configure Guest wireless. Guest is not able to ping Any ressource But NMAP scanning is working. All Private IP execept ISE, DHCP and DNS is Deny, but NMAP is still able to see others Clients connected</SPAN></P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P><SPAN>Zanga</SPAN></P> Mon, 08 Mar 2021 22:49:43 GMT https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4303539#M565959 O.Zang 2021-03-08T22:49:43Z https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4303609#M565963 <P>Hi</P> <P>&nbsp;</P> <P>The guest is going through a FW? How you wanted to block the nmap for guests? Were you thinking using a simple ACL or using a next-gen FW (IPS and/or blocking based on application detection)?</P> <P>&nbsp;</P> <P>By ACL, you won’t be able to block it without blocking legitimate traffic. The 2nd option will be the way to go.</P> <P>&nbsp;</P> Tue, 09 Mar 2021 03:21:52 GMT https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4303609#M565963 Francesco Molino 2021-03-09T03:21:52Z https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4303676#M565967 <P>Thank for your response&nbsp;<SPAN>Francesco.</SPAN></P><P>The wireless Guest are not going through an firewall.</P><P>I have deny access to all private IP range excempt for ISE, DNS, and DHCP via the WLC Flexconnect ACL.</P><P>Ping, and SSH, or Telnet from Putty is not working. But NMAP is still able to scan the Network.</P><P>Thanks</P><P>Zang</P> Tue, 09 Mar 2021 06:04:05 GMT https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4303676#M565967 O.Zang 2021-03-09T06:04:05Z https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4306094#M566079 <P>Can you share the ACL you’ve implemented?</P> Fri, 12 Mar 2021 03:58:56 GMT https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4306094#M566079 Francesco Molino 2021-03-12T03:58:56Z https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4306833#M566103 <P>This sounds like an ACL issue on the WLC as stated by <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/321306">@Francesco Molino</a> .</P> <P>&nbsp;</P> Sat, 13 Mar 2021 19:50:20 GMT https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4306833#M566103 thomas 2021-03-13T19:50:20Z https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4924932#M584105 <P>We are using 9800 WLC with DNAC solution and facing the same challenges. Since Guest is open to connect and outsiders is able to see the connected Mac address by nmap scan hence able to bypass portal authenticaiton by spoofing valid connected user mac address.</P><P>Cisco is unable to provide any solutions.</P> Mon, 18 Sep 2023 10:58:31 GMT https://community.cisco.com/t5/network-access-control/block-nmap-port-scanning-from-guest-wireless-network/m-p/4924932#M584105 seemon 2023-09-18T10:58:31Z