Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
1
Helpful
3
Replies

ASA respond to NMAP traffic on Behalf on the host

karamalomari
Level 1
Level 1

‎06-06-2024 11:09 PM

We have ASA module in 6509-E with ASA ios version 9.0.4 & 6509-E ios version 15.5.10.

Multiple DMZ's exists on the ASA and from one server hosted in 1 of the DMZ's which initiate NMAP scan to all the hosts in the network. So the traffic path is NMAP server (DMZ10) > Outside Interface > Hosts.

The issue that some hosts will be in "offline" state and the minute the Server initiate NMAP traffic towards that host, the ASA respond to the NMAP on behalf of the host which changes the state for the host to "online" in our monitoring system.

Is there a way to stop this behaviour where the ASA respond to NMAP traffic from that server towards the hosts? 

3 Replies 3

MHM Cisco World
VIP
VIP

‎06-07-2024 12:58 AM

You meaning that port is open in asa?

Try add access control plane and block all port you want

Also disable arp proxy in NAT

Try above and check

MHM

0 Helpful

Sheraz.Salim
VIP
VIP

‎06-07-2024 01:41 AM - edited ‎06-07-2024 01:52 AM

In order to address the issue where your ASA (Adaptive Security Appliance) is responding to NMAP scans on behalf of hosts, you can consider the following solutions.

You can create ACLs to block the NMAP scan traffic from the server in the DMZ to the outside network. This will prevent the server from scanning hosts in the network through the ASA.

 

access-list DMZ10_to_Outside extended deny ip host <NMAP_Server_IP> any
access-group DMZ10_to_Outside in interface dmz10

 

 

ASA can have IP spoofing protection enabled which might cause it to respond on behalf of hosts. Ensure that this feature is disabled if not necessary. Be cautious, as disabling this can introduce security risks.

Configure Unicast Reverse Path Forwarding on your ASA to ensure that it forwards packets only if they are received on the best return path

 

interface <interface_name>
 ip verify reverse-path

 

Adjust the TCP SYN timeout value to reduce the impact of half-open connections which might cause the ASA to respond to NMAP scans.

 

tcp-options timeout synack 30

 

This ACL blocks common ports used in NMAP scans and allows other traffic.

 

access-list BLOCK_NMAP extended deny tcp any any eq 22
access-list BLOCK_NMAP extended deny tcp any any eq 80
access-list BLOCK_NMAP extended deny tcp any any eq 443
access-list BLOCK_NMAP extended deny tcp any any eq 3389
access-list BLOCK_NMAP extended permit ip any any
access-group BLOCK_NMAP in interface outside

 

 

please do not forget to rate.
0 Helpful

tvotna
Spotlight
Spotlight
In response to Sheraz.Salim

‎06-10-2024 12:52 AM

@karamalomari, Typically this happens when firewall activates TCP Intercept feature, when the number of half-open TCP connections exceeds the threshold configured under the policy-map ("set connection embryonic-conn-max" or "set connection per-client-embryonic-max"). In such a case firewall responds with SYN/ACK waiting for ACK to come from the client. If the scanner doesn't send it, embrionic connections pile up. Another possibility is that firewall sends TCP RST to SYN from the scanner and the scanner interprets it as online host. You can collect capture on the outside interface to understand what's really going on.

An of course there are no such commands as "tcp-options timeout synack" or "ip verify reverse-path" under interface on ASA.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card