ASA 5505 appears to be listening on all TCP ports

ctalsness · ‎08-08-2011

When I do an NMAP scan against my ASA 5505 on it's internal interface's IP address, it appears to be listening on all TCP ports. If I do it from across a VPN tunnel, the ports show as open according to NMAP, if I do the scan from the local subnet they show up as unknown. I'm thinking I read once that this is normal behavior, but I can't find any Cisco documentation that deals with this. Can anyone help point me in the right direction? I'm running 8.0.4 code on this ASA.

lcaruso · ‎08-08-2011

Here's the ports my 5505 is currently listening on

ciscoasa# sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 000256cf 192.168.100.1:443 0.0.0.0:* LISTEN

TCP 000564ff 192.168.100.1:22 0.0.0.0:* LISTEN

TCP 008cdb58 192.168.100.1:22 desktop:52905 ESTAB

ciscoasa#

I'd upgrade that ASA to 8.4(2) and run the above command to see which ports are open.

Andrew Vlasek · ‎07-31-2013

What about UDP?

lcaruso · ‎07-31-2013

The command shows all open tcp and udp ports. Since I have no open udp ports, they are not shown.

Marvin Rhoads · ‎07-31-2013

Listening is good for a network device, even a security appliance.

Note that you are only listening on ports 443 and 22 (SSL and ssh). When an incoming packet speaks to one of those listening ports it will use a random high number TCP port as the source (as in your case above - your workstation is talking from TCP port 52905), the destination will be 22 or 443. The ASA will further refer to the configured allowed addresses or network to validate incoming ssh and https/ssl connection requests.