I have a few 2911 ISR's running on my network that are running zone based or CBAC firewalls depending on when it was deployed. I am testing both configurations the following 2 NMAP scans with the following results which are puzzling.
1. TCP SYN Scan- shows that all ports are filtered. (Yay!)
2. TCP Connect Scan- Shows 2 ports open. (Boo!)
I feel confident in my configurations but am looking for council to help me understand why these come back open on a TCP Connect Scan.
So just to be sure my configs are solid, I have verified this to be the case on both a CBAC configuration with ACL denying just about everything from the outside and on a Zone Based firewall. I have also used shut down the IP http server and secure server. Doing a "Show IP HTTP Server status" shows it is disabled. I even ran the Cisco "Auto secure" command as an additional step locking it down but these ports are still showing open on a TCP connect scan.
Should this behavior be expected?
Any NAT configured?
I would try upgrading to a gold star software release if you aren't running one already. You may simply be running into an issue already resolved.