cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2902
Views
0
Helpful
1
Replies

PCI compliance scanner "blocked" by ASA 5510. How do I "whitelist" without giving access to all ports?

mstrz
Level 1
Level 1

We use SecurityMetrics as our vendor for PCI compliance scanning. Of all our servers, only the video server fails their scan, and this is their result:

"This scan is inconclusive.  Though your server had open ports, we were unable to connect to any of them successfully.  There is a high probability that some type of firewall or scan-detection software is blocking us from accurately scanning your server. Please configure any firewall or software that would interfere with our scans to allow all traffic from SecurityMetrics"

Our streaming video server is our only public-facing server that has port tcp/udp 1755 open (for the mms protocol). All our other servers behind this firewall pass the test, but they only have standard email and http ports open. I am assuming that their scan of port 1755 triggers some sort of threat detection on the ASA. (I have "Basic Threat Detection" enabled only.)

How do I "whitelist" them without actually allowing them to access all the ports (for example, adding them as an access rule would open all ports to them).

We have a Cisco ASA 5510, version 8.2(2).


Thanks

1 Reply 1

mirober2
Cisco Employee
Cisco Employee

Hello,

Basic threat-detection doesn't actually drop packets on its own, it's only an alerting/monitoring device to let you know the ASA has dropped packets for other reasons that cross the basic threat-detection thresholds for what is considered a threat.

If the ASA already has the proper configuration in place to allow users on the outside to connect to your video server on TCP/UDP 1755 and this is working fine, you'll need to see what happens to the scan traffic in particular. The best way to identify this is with the following information:

1. Syslogs generated by the ASA
2. Packet captures on both the inside and outside interface, see: https://supportforums.cisco.com/docs/DOC-1222

Take a look at those and let us know what you find. You should be able to find out if the ASA is dropping the packets or letting them through and something else is dropping them along the way.

-Mike

Review Cisco Networking for a $25 gift card