topic Re: nmap inconsistent results through AnyConnect VPN in Network Security

nmap inconsistent results through AnyConnect VPN

Eric Snijders — Fri, 21 Feb 2020 16:17:30 GMT

Hi All,

I'm trying to run some nmap scans to inside subnets over AnyConnect VPN, but the results are very incosistent. Meaning: sometimes even just a basic portscan will report 0 hosts as up. 5 seconds later the same scan shows the right hosts as up, and the output seems correct.

First every IP within every subnet was reporting as up, but then i disabled "Send Reset Reply for denied inbound TCP connections". But even after that the results are still not as i expect.

So my questions:
1. Is it even recommended/possible to run nmap scans through a (AnyConnect) VPN tunnel?

2. The traffic flows through 2 ASA's (1 for the AnyConnect entry, the other one for the actual routing/firewalling of our production traffic). Are there any specific settings i have to think of to get this to work?

Re: nmap inconsistent results through AnyConnect VPN

johnd2310 — Sat, 29 Sep 2018 03:34:16 GMT

Hi,

I would guess the ASAs are messing with your scans. I wouldn't do a scan through a firewall especially with the ASA inspection/threat-detection policies are turned on.

You can run scans over anyconnect if the intent is to see what the vpn clients can access. For most scans, it wouldn't be recommended to scan from a vpn client because firewall inspection and ips would interfere with the scans.I would recommend you use a host on the network for your scans
The firewall rules, inspection and ips wold need to be evaluated before you can consider doing scans from vpn

Thanks

John

Re: nmap inconsistent results through AnyConnect VPN

Eric Snijders — Sat, 29 Sep 2018 07:54:54 GMT

Hi John,

First of all, thank you for your help. Really appreciate it.

To clarify some things:

In this case we want to scan through AnyConnect VPN.
We have about 15-20 VLAN's, and we want to scan all of them. ACL's on the Firewalls are already updated to allow all connections coming from the nmap-machine.
Threat Detection has been disabled on all the Firewalls.
Traffic is flowing through at least 2 firewalls. If i have to change something regarding the inspection policy, i guess i should apply that to every firewall the traffic flows through, right?
If i need to modify antyhing to the inspection policy, what would i have to change?

Basically, i just want all my firewalls to not mess with anything coming from the nmap-machine, but specifically want to scan our endpoints (VM's).

Thanks in advance and have a nice day!