Solved: Re: Port 3306 shows open on a ASA 5525X - Page 2

TsadikuBahiru78025 · ‎07-15-2024

Hello I want help on a case that our ASA firewall is being scanned on a management interface and it shows that port 3306 is open and our QSA told us to verify it or close. Normally we use only ssh to access the firewall. So, please assist us why this port is open and also how we can disable it.

tvotna · ‎07-15-2024

So, if FTD allows requests to this port from external devices and responds, this looks very much like a security hole and at least undocumented behavior. Documentation only mentions that FMC listens on this port and not FTD.

Marvin Rhoads · ‎07-15-2024

QSAs and other so-called auditors are known to often give advice to security administrators based on incomplete or inaccurate understanding of how the devices actually work.

If you perform an nmap scan of an FTD device's management port against tcp/3309, you will see that it reports as "filtered" - meaning there may be a listener but an actual connection could not be established. Packet capture during such a scan confirms that no TCP 3-way handshake completes, meaning the FTD does not actually accept the external connection. My screenshot below confirms this.

A non-technical auditor will however just take the output of a Nessus or similar scan and see the filtered ports and "cry wolf". For me, I say "pcap or it didn't happen".

TsadikuBahiru78025 · ‎07-15-2024

Hello Marvin,

Thank you for the invaluable support.

Sorry @MHM Cisco World for misleading you actualy we are using ftd

MHM Cisco World · ‎07-15-2024

Dont worry'

You get answer from the best @Marvin Rhoads

Have a nice summer for all

MHM