03-03-2018 09:09 AM - edited 02-21-2020 07:28 AM
We performed our routine penetration testing, and performed a port scan. We just upgraded to a new ASA with a 9.8 version. We noticed that all of our ports were opened; we used NMAP externally. although we couldn't connect via a telnet test. (telnet IP PORT). The connection would get established, but right away reset a second later.
We have a smart net subscription, so I called a tech and got support. After his review, he agreed that everything seemed to be configured properly on our side. He mentioned that the newer ASA has a TCP reset function, where the connection would reset if the port is not opened and a connection is attempted. The tech and I went over all the listening ports and established connections, and everything seemed to be OK.
My questions are, is there a way to have the port blocked other then TCP reset?
Can anyone explain the TCP reset in ASA? Seems like I can't find much online (unless I am a bad googler :))
And if there are any FREE networking tools that I can use to create a scan taking into account a tcp reset.
Thanks,
03-03-2018 10:01 PM
It sounds like you're triggering the TCP intercept feature documented here:
Protect Servers from a SYN Flood DoS Attack (TCP Intercept)
Are you running NMAP from a source on the outside interface of the ASA? Are you attempting to scan the outside IP of the ASA? Or a device behind the ASA via NAT?
Do you have an explicit deny ACL on the outside interface inbound?
03-06-2018 06:43 AM
Scanning from outside. Using NMAP on outside interface public IP. And yes I have an explicit deny rule.
The tech sent me documentation on the feature. He said it is called "service resetoutbound"
It is noted here https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3.pdf
It looks like the connection is resetting exactly how the tech described. When I attempt to telnet to the firewall from outside, it connects, but disconnects 1 second later, resetting the connection. What is the advantages of this? I would thing just blocking would be a better solution, instead of allowed a connection, even for a second.
03-13-2018 08:07 AM
It's a knob that gives admins the ability to control behavior based on preference. Some organizations like the silent discard (an attempt to make the firewall invisible to a scanner).
Applications expect a RST packet to be sent as part of a connection close, so perhaps an org may enable the sending of RST on trusted interfaces (inside), and be more protective/restrictive on the outside interface with a silent discard.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: