ASA5500X Port Scan

Jon Eyes · ‎10-16-2018

ello Everyone,

We have a plain ASA (no ids/ips, firepower), we want to determine if the device is being port scanned. Did some quick scan (nmap) and all i see by filtering the device that im scanning it from is this

%ASA-4-313009: Denied invalid ICMP code 9, for outside:scanner.ip.address/6523 (scanner.ip.address/6523) to identity:asa.outside.ip/0 (asa.outside.ip/0), ICMP id 295, ICMP type 8

There were no significant increase in the logs, no spikes in count, sessions and health (movement) as well.

What event/s or logs messages should we watch out for if the device if being scanned?

Thanks in advance

johnd2310 · ‎10-16-2018

Hi,

You might need to enable a few things to detect scans.

you can enable access-list logging for the deny at the end of the outside access-list
you can enable "threat-detection scanning-threat"

You can then look at the "Denied" and "Scanning" messages in the log

Thanks

John

**Please rate posts you find helpful**

Mohammed al Baqari · ‎10-16-2018

Device scans won't impact ASAs as they aren't targeted for interruption.
DoS attack is what cause interruption.

Port scans are captured on connection built and deny connection logs. What
differentiates them is the sequence and the pattern which you either need
to understand to recognize that or use an intelligent tool which can pick
it