Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
2
Replies

Results of NMAP scan on IOS Zone Based Firewalls: Questions

Joshua Engels
Level 1
Level 1

‎07-13-2016 04:05 PM - edited ‎03-12-2019 01:01 AM

I have a few 2911 ISR's running on my network that are running zone based or CBAC firewalls depending on when it was deployed.  I am testing both configurations the following 2 NMAP scans with the following results which are puzzling.

1. TCP SYN Scan- shows that all ports are filtered. (Yay!)

2. TCP Connect Scan- Shows 2 ports open. (Boo!)

  1. 80/HTTP 
  2. 1720/H.323/Q.931.

I feel confident in my configurations but am looking for council to help me understand why these come back open on a TCP Connect Scan.

So just to be sure my configs are solid, I have verified this to be the case on both a CBAC configuration with ACL denying just about everything from the outside and on a Zone Based firewall.  I have also used shut down the IP http server and secure server.  Doing a "Show IP HTTP Server status" shows it is disabled.  I even ran the Cisco "Auto secure" command as an additional step locking it down but these ports are still showing open on a TCP connect scan. 

Should this behavior be expected?

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-13-2016 07:31 PM

Any NAT configured?

I would try upgrading to a gold star software release if you aren't running one already.  You may simply be running into an issue already resolved.

0 Helpful

johnlloyd_13
Level 9
Level 9

‎07-13-2016 07:42 PM

hi,

are you running NMAP from 'inside' or 'outside'?

please post sanitized config.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card