We have a plain ASA (no ids/ips, firepower), we want to determine if the device is being port scanned. Did some quick scan (nmap) and all i see by filtering the device that im scanning it from is this
%ASA-4-313009: Denied invalid ICMP code 9, for outside:scanner.ip.address/6523 (scanner.ip.address/6523) to identity:asa.outside.ip/0 (asa.outside.ip/0), ICMP id 295, ICMP type 8
There were no significant increase in the logs, no spikes in count, sessions and health (movement) as well.
What event/s or logs messages should we watch out for if the device if being scanned?
Thanks in advance
You might need to enable a few things to detect scans.
You can then look at the "Denied" and "Scanning" messages in the log