07-15-2021 10:06 AM
About a week ago, our ASA 5545 started to scan random ports on our management server. The AV detects the port scan, and throws up a temporary block on traffic, which means the device randomly goes down for 10-15 minutes throughout the day and night. Here is the logging info from AV, but I'm pretty certain the ASA doesn't have the ability to scan. There is no NAT statement to the inside IP.
Somebody is scanning your computer.
Your computer's UDP ports:
50967, 53616, 53228, 61745 and 53162 have been scanned from <firewall_ip>.
Somebody is scanning your computer.
Your computer's UDP ports:
54676, 60187, 56973, 57651 and 62472 have been scanned from <firewall_ip>.
Somebody is scanning your computer.
Your computer's UDP ports:
64649, 62761, 59096, 64934 and 63694 have been scanned from <firewall_ip>.
Any thoughts as to what might be causing this? Thanks
07-15-2021 10:12 AM - edited 07-15-2021 10:27 AM
Is your ASA hardware running FTD or ASA image?
07-15-2021 10:29 AM
I meant to include this but was sidetracked several times. No, it's ASA: 9-14-2.15.
07-15-2021 10:36 AM
The only thing that comes to mind is some traffic being natted behind the firewalls IP address, nothing from the ASA itself would do a scan.
You could run a packet capture on the ASA and match on the destination of the mgmt server IP address.
The command "show conn" and using a filter might provide more clues.
07-15-2021 05:00 PM
https://www.whatsupgold.com/blog/port-scanning-101-what-it-is-what-it-does
so infect PC is send UDP toward ASA and ASA using NAT so it NAT and send it to your PC.
because ASA NAT IP it appear that ASA send UDP portscan.
check the ASA conn and match Port that scan to see this infect PC ip and deny it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide