Re: port scan of PIX gives odd results

dlatvala · ‎10-18-2003

Hello,

We just set up a PIX to use in a very small data center. At this point we have two web servers that are behind the PIX, with static translations defined for both of them. All appears to be working and we can access the web servers as intended.

We are using conduits to open the www and ssl ports via this config:

conduit permit tcp any eq www any

conduit permit tcp any eq https any

conduit permit icmp any any

The icmp entry is to allow an external system to monitor the systems.

What appears odd is that when I test the two IP addresses with Glock Software's AATools port scanner, the output appears that other ports (for example, smtp and pop3) are listening. The port scanner also shows a ton of listening UDP ports.

If I try to telnet to port 25 on either system it doesn't work, so it does appear that traffic is being blocked.

Is there a reason that these tcp and udp ports would appear to be listening? I guess I thought that the only ports that would appear to be listening were the ones that were opened via the conduits.

Thanks in advance...

Dan

lwierenga · ‎10-19-2003

Best thing to do is move away from conduits and only use access control lists. Cisco recommends against conduits and if you are using conduits with acl's on the same interface this can result in wierd stuff happening. You should not be able to see any other ports other then the ports that you have allowed through that interface. I'm not familiar with the soft ware that you are using so can't really give a difinitive answer to your question.

dlatvala · ‎10-19-2003

There are no ACLs on this PIX. We actually have another PIX, configured with ACLs and no conduits that exhibits the same behavior.

nkhawaja · ‎10-19-2003

Hi,

As lwierenga said, just try out some other port scanning software as well. You can't relly on these tools 100%.

Thanks

Nadeem

dlatvala · ‎10-19-2003

Thank you for your feedback. I also tried nmap to see what that would give me. When I probe with a SYN stealth scan, it shows that only 80 and 443 are open ports (as I would expect). However, when I probe using the Connect scan, the system shows the following:

Starting nmap V. 3.00 ( www.insecure.org/nmap )

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

Insufficient responses for TCP sequencing (0), OS detection may be less accurate

Interesting ports on xxxxxx.com (xxx.xxx.xxx.xxx):

(The 1597 ports scanned but not shown below are in state: filtered)

Port State Service

25/tcp open smtp

80/tcp open http

110/tcp open pop-3

443/tcp open https

Too many fingerprints match this host for me to give an accurate OS guess

Nmap run completed -- 1 IP address (1 host up) scanned in 429 seconds

Why would 25 and 110 indicate an "open" status in this scan?

Thanks...

nkhawaja · ‎10-19-2003

Hi,

Is the server really listening on port 25 & 110?

Just curious if this is the case on the server side!

Thanks

Nadeem

dlatvala · ‎10-19-2003

Hi Nadeem,

The server is running SMTP on port 25, but no POP3 on 110. It's a web server, so it uses its own SMTP engine to send auto-responders, etc.

Dan