Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
0
Helpful
2
Replies

nmap inconsistent results through AnyConnect VPN

Eric Snijders
Level 1
Level 1

‎09-27-2018 12:04 PM - edited ‎02-21-2020 08:17 AM

Hi All,

 

I'm trying to run some nmap scans to inside subnets over AnyConnect VPN, but the results are very incosistent. Meaning: sometimes even just a basic portscan will report 0 hosts as up. 5 seconds later the same scan shows the right hosts as up, and the output seems correct.

 

First every IP within every subnet was reporting as up, but then i disabled "Send Reset Reply for denied inbound TCP connections". But even after that the results are still not as i expect.

 

So my questions:
1. Is it even recommended/possible to run nmap scans through a (AnyConnect) VPN tunnel?

2. The traffic flows through 2 ASA's (1 for the AnyConnect entry, the other one for the actual routing/firewalling of our production traffic). Are there any specific settings i have to think of to get this to work?

0 Helpful
2 Replies 2

johnd2310
Level 8
Level 8

‎09-28-2018 08:34 PM

Hi,

I would guess the ASAs are messing with your scans. I wouldn't do a scan through a firewall especially with the ASA inspection/threat-detection policies are turned on.

  1. You can run scans over anyconnect if the intent is to see what the vpn clients can access. For most scans, it wouldn't be recommended to  scan from a vpn client because firewall inspection and ips would interfere with the scans.I would recommend you use a host on the network for your scans
  2. The firewall rules, inspection and ips wold need to be evaluated before you can consider doing scans from vpn

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Eric Snijders
Level 1
Level 1
In response to johnd2310

‎09-29-2018 12:54 AM

Hi John,

 

First of all, thank you for your help. Really appreciate it.

 

To clarify some things:

  1. In this case we want to scan through AnyConnect VPN.
  2. We have about 15-20 VLAN's, and we want to scan all of them. ACL's on the Firewalls are already updated to allow all connections coming from the nmap-machine.
  3. Threat Detection has been disabled on all the Firewalls.
  4. Traffic is flowing through at least 2 firewalls. If i have to change something regarding the inspection policy, i guess i should apply that to every firewall the traffic flows through, right?
  5. If i need to modify antyhing to the inspection policy, what would i have to change?

 

Basically, i just want all my firewalls to not mess with anything coming from the nmap-machine, but specifically want to scan our endpoints (VM's).

 

Thanks in advance and have a nice day!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card