https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398948#M67884 <HTML><HEAD></HEAD><BODY><P>Mark,</P><P></P><P>Have you modified the ASA's ACLs to allow all ports?&nbsp; Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.</P></BODY></HTML> Wed, 17 Mar 2010 19:23:18 GMT bnidacoc 2010-03-17T19:23:18Z https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398946#M67881 <P>Hi,</P><P></P><P>I am doing some NMAP regular recoinnassance tests through our ASA w/IPS.&nbsp; These tests are unfortunately going through the IPS even after enabling drop on signatures 3002, 2157, and 4003.&nbsp; Wireshark applications show that NMAP uses tcp as opposed to UDP specified on signature 4003.</P><P></P><P>Please assist.</P> Sun, 10 Mar 2019 11:55:20 GMT https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398946#M67881 marcusbrutus 2019-03-10T11:55:20Z https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398947#M67883 <HTML><HEAD></HEAD><BODY><P>You can customize the signature based on TCP.</P><P></P><P>PK</P></BODY></HTML> Tue, 16 Mar 2010 20:23:31 GMT https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398947#M67883 Panos Kampanakis 2010-03-16T20:23:31Z https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398948#M67884 <HTML><HEAD></HEAD><BODY><P>Mark,</P><P></P><P>Have you modified the ASA's ACLs to allow all ports?&nbsp; Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.</P></BODY></HTML> Wed, 17 Mar 2010 19:23:18 GMT https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398948#M67884 bnidacoc 2010-03-17T19:23:18Z https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398949#M67886 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>No ACL dropping packets.&nbsp; With the IPS on in fail-open, nmap scans still go through.</P><P></P><P>Please advise.</P></BODY></HTML> Thu, 18 Mar 2010 18:54:14 GMT https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398949#M67886 marcusbrutus 2010-03-18T18:54:14Z https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398950#M67887 <HTML><HEAD></HEAD><BODY><P>Is the IPS configured in promiscuous or inline mode?</P><P>What is the event action for the signature# that matches the NMAP traffic?</P></BODY></HTML> Fri, 19 Mar 2010 04:46:34 GMT https://community.cisco.com/t5/network-security/aip-ssm-reconnaissance-question/m-p/1398950#M67887 Jennifer Halim 2010-03-19T04:46:34Z