cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
667
Views
0
Helpful
3
Replies

All Ports Opened on ASA 5505 Firewall?

ernesto.huizar
Level 1
Level 1

We performed our routine penetration testing, and performed a port scan. We just upgraded to a new ASA with a 9.8 version. We noticed that all of our ports were opened; we used NMAP externally. although we couldn't connect via a telnet test. (telnet IP PORT). The connection would get established, but right away reset a second later.

 

We have a smart net subscription, so I called a tech and got support. After his review, he agreed that everything seemed to be configured properly on our side. He mentioned that the newer ASA has a TCP reset function, where the connection would reset if the port is not opened and a connection is attempted. The tech and I went over all the listening ports and established connections, and everything seemed to be OK. 

 

My questions are, is there a way to have the port blocked other then TCP reset? 

 

Can anyone explain the TCP reset in ASA? Seems like I can't find much online (unless I am a bad googler :))

 

And if there are any FREE networking tools that I can use to create a scan taking into account a tcp reset.

 

Thanks, 

3 Replies 3

thiland
Level 3
Level 3

It sounds like you're triggering the TCP intercept feature documented here:

Protect Servers from a SYN Flood DoS Attack (TCP Intercept)

 

Are you running NMAP from a source on the outside interface of the ASA?  Are you attempting to scan the outside IP of the ASA?  Or a device behind the ASA via NAT?

 

Do you have an explicit deny ACL on the outside interface inbound?

 

Scanning from outside. Using NMAP on outside interface public IP. And yes I have an explicit deny rule.

 

The tech sent me documentation on the feature. He said it is called "service resetoutbound"

 

It is noted here https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3.pdf

 

It looks like the connection is resetting exactly how the tech described. When I attempt to telnet to the firewall from outside, it connects, but disconnects 1 second later, resetting the connection. What is the advantages of this? I would thing just blocking would be a better solution, instead of allowed a connection, even for a second. 

It's a knob that gives admins the ability to control behavior based on preference.  Some organizations like the silent discard (an attempt to make the firewall invisible to a scanner). 

Applications expect a RST packet to be sent as part of a connection close, so perhaps an org may enable the sending of RST on trusted interfaces (inside), and be more protective/restrictive on the outside interface with a silent discard.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: