06-06-2024 11:09 PM
We have ASA module in 6509-E with ASA ios version 9.0.4 & 6509-E ios version 15.5.10.
Multiple DMZ's exists on the ASA and from one server hosted in 1 of the DMZ's which initiate NMAP scan to all the hosts in the network. So the traffic path is NMAP server (DMZ10) > Outside Interface > Hosts.
The issue that some hosts will be in "offline" state and the minute the Server initiate NMAP traffic towards that host, the ASA respond to the NMAP on behalf of the host which changes the state for the host to "online" in our monitoring system.
Is there a way to stop this behaviour where the ASA respond to NMAP traffic from that server towards the hosts?
06-07-2024 12:58 AM
You meaning that port is open in asa?
Try add access control plane and block all port you want
Also disable arp proxy in NAT
Try above and check
MHM
06-07-2024 01:41 AM - edited 06-07-2024 01:52 AM
In order to address the issue where your ASA (Adaptive Security Appliance) is responding to NMAP scans on behalf of hosts, you can consider the following solutions.
You can create ACLs to block the NMAP scan traffic from the server in the DMZ to the outside network. This will prevent the server from scanning hosts in the network through the ASA.
access-list DMZ10_to_Outside extended deny ip host <NMAP_Server_IP> any
access-group DMZ10_to_Outside in interface dmz10
ASA can have IP spoofing protection enabled which might cause it to respond on behalf of hosts. Ensure that this feature is disabled if not necessary. Be cautious, as disabling this can introduce security risks.
Configure Unicast Reverse Path Forwarding on your ASA to ensure that it forwards packets only if they are received on the best return path
interface <interface_name>
ip verify reverse-path
Adjust the TCP SYN timeout value to reduce the impact of half-open connections which might cause the ASA to respond to NMAP scans.
tcp-options timeout synack 30
This ACL blocks common ports used in NMAP scans and allows other traffic.
access-list BLOCK_NMAP extended deny tcp any any eq 22
access-list BLOCK_NMAP extended deny tcp any any eq 80
access-list BLOCK_NMAP extended deny tcp any any eq 443
access-list BLOCK_NMAP extended deny tcp any any eq 3389
access-list BLOCK_NMAP extended permit ip any any
access-group BLOCK_NMAP in interface outside
06-10-2024 12:52 AM
@karamalomari, Typically this happens when firewall activates TCP Intercept feature, when the number of half-open TCP connections exceeds the threshold configured under the policy-map ("set connection embryonic-conn-max" or "set connection per-client-embryonic-max"). In such a case firewall responds with SYN/ACK waiting for ACK to come from the client. If the scanner doesn't send it, embrionic connections pile up. Another possibility is that firewall sends TCP RST to SYN from the scanner and the scanner interprets it as online host. You can collect capture on the outside interface to understand what's really going on.
An of course there are no such commands as "tcp-options timeout synack" or "ip verify reverse-path" under interface on ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide