cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


224
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA5500X Port Scan

ello Everyone,

 

We have a plain ASA (no ids/ips, firepower), we want to determine if the device is being port scanned. Did some quick scan (nmap) and all i see by filtering the device that im scanning it from is this

 

%ASA-4-313009: Denied invalid ICMP code 9, for outside:scanner.ip.address/6523 (scanner.ip.address/6523) to identity:asa.outside.ip/0 (asa.outside.ip/0), ICMP id 295, ICMP type 8

 

There were no significant increase in the logs, no spikes in count, sessions and health (movement) as well.

 

What event/s or logs messages should we watch out for if the device if being scanned?

 

Thanks in advance

Everyone's tags (3)
2 REPLIES 2
Collaborator

Re: ASA5500X Port Scan

Hi,

You might need to enable a few things to detect scans.

  1. you can enable access-list logging for the deny at the end of the outside access-list
  2. you can enable "threat-detection scanning-threat"

You can then look at the "Denied" and "Scanning" messages in the log

 

Thanks

John

**Please rate posts you find helpful**
VIP Advisor

Re: ASA5500X Port Scan

Device scans won't impact ASAs as they aren't targeted for interruption.
DoS attack is what cause interruption.

Port scans are captured on connection built and deny connection logs. What
differentiates them is the sequence and the pattern which you either need
to understand to recognize that or use an intelligent tool which can pick
it