Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3109
Views
5
Helpful
5
Replies

Block NMAP port Scanning from Guest wireless Network

Go to solution
O.Zang
Level 1
Level 1

‎03-08-2021 02:49 PM

Hello Team

Please how to Block NMAP port Scanning from Guest wireless Network ?

I have configure Guest wireless. Guest is not able to ping Any ressource But NMAP scanning is working. All Private IP execept ISE, DHCP and DNS is Deny, but NMAP is still able to see others Clients connected

 

Regards

Zanga

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to O.Zang

‎03-11-2021 07:58 PM

Can you share the ACL you’ve implemented?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to O.Zang

‎03-13-2021 11:50 AM

This sounds like an ACL issue on the WLC as stated by @Francesco Molino .

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-08-2021 07:21 PM

Hi

 

The guest is going through a FW? How you wanted to block the nmap for guests? Were you thinking using a simple ACL or using a next-gen FW (IPS and/or blocking based on application detection)?

 

By ACL, you won’t be able to block it without blocking legitimate traffic. The 2nd option will be the way to go.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
O.Zang
Level 1
Level 1
In response to Francesco Molino

‎03-08-2021 10:04 PM

Thank for your response Francesco.

The wireless Guest are not going through an firewall.

I have deny access to all private IP range excempt for ISE, DNS, and DHCP via the WLC Flexconnect ACL.

Ping, and SSH, or Telnet from Putty is not working. But NMAP is still able to scan the Network.

Thanks

Zang

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to O.Zang

‎03-11-2021 07:58 PM

Can you share the ACL you’ve implemented?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to O.Zang

‎03-13-2021 11:50 AM

This sounds like an ACL issue on the WLC as stated by @Francesco Molino .

 

0 Helpful

Go to solution
seemon
Level 1
Level 1

‎09-18-2023 03:58 AM

We are using 9800 WLC with DNAC solution and facing the same challenges. Since Guest is open to connect and outsiders is able to see the connected Mac address by nmap scan hence able to bypass portal authenticaiton by spoofing valid connected user mac address.

Cisco is unable to provide any solutions.

0 Helpful
Customers Also Viewed These Support Documents