cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1546
Views
5
Helpful
4
Replies

ASA 5545 Supposedly Scanning Random Ports on Management Server

ABaker94985
Spotlight
Spotlight

About a week ago, our ASA 5545 started to scan random ports on our management server. The AV detects the port scan, and throws up a temporary block on traffic, which means the device randomly goes down for 10-15 minutes throughout the day and night. Here is the logging info from AV, but I'm pretty certain the ASA doesn't have the ability to scan. There is no NAT statement to the inside IP.

 

Somebody is scanning your computer.
Your computer's UDP ports:
50967, 53616, 53228, 61745 and 53162 have been scanned from <firewall_ip>.

Somebody is scanning your computer.
Your computer's UDP ports:
54676, 60187, 56973, 57651 and 62472 have been scanned from <firewall_ip>.

Somebody is scanning your computer.
Your computer's UDP ports:
64649, 62761, 59096, 64934 and 63694 have been scanned from <firewall_ip>.

 

Any thoughts as to what might be causing this? Thanks

4 Replies 4

@ABaker94985 

Is your ASA hardware running FTD or ASA image?

I meant to include this but was sidetracked several times. No, it's ASA: 9-14-2.15.

@ABaker94985 

The only thing that comes to mind is some traffic being natted behind the firewalls IP address, nothing from the ASA itself would do a scan.

 

You could run a packet capture on the ASA and match on the destination of the mgmt server IP address.

 

The command "show conn" and using a filter might provide more clues.

https://www.whatsupgold.com/blog/port-scanning-101-what-it-is-what-it-does

 

so infect PC is send UDP toward ASA and ASA using NAT so it NAT and send it to your PC.
because ASA NAT IP it appear that ASA send UDP portscan.

check the ASA conn and match Port that scan to see this infect PC ip and deny it.

Review Cisco Networking for a $25 gift card