Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
733
Views
0
Helpful
5
Replies

Running PortScan (from Outside) Shows Ports open on internal server

fbeye
Level 4
Level 4

‎06-29-2020 12:44 PM

Hello

 

So for fun at random I do port-scans to monitor my server etc and on my email server The only process I run is email itself with 993 and 25 open and as well the only 2 ports in my ASA but when I run a scan it shows 80 and 443 open. As I said and verified the only 2 ports in the ASA are for 25 and 993 so I am unsure as to why. I can paste my config file later but for now maybe there is something common about this that I am missing. 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎06-29-2020 01:06 PM

what is the IP you used for port-scanning? outside interface of ASA? is the mail server has static NAT 1 to 1 configure? 

 

give us more information about the setup to understand.

 

Also, suggest you do the same scan from the internal network to mail server the same way you did from outside and compare the results.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎06-29-2020 02:55 PM

I am not clear whether the reported open ports are on the ASA or on the server. Perhaps the original poster can clarify? If on the ASA perhaps it is because those ports might be open to provide management access to the ASA.

HTH

Rick
0 Helpful

fbeye
Level 4
Level 4

‎07-01-2020 08:10 AM

I apologize for the delay I had not received an email notification saying I had responses.

 

So I will show a picture of my server topology. I am running a Portscan from the outside (completely different network from be it my cell phone or at work) and scanning a static IP with a 1/1 NAT through my 5508-X which connects to my Email server which would be GE/03 with an Interface IP of 192.168.3.180 and the Server has the actual real static IP x.x.x.180 using 192.168.3.180 as the gateway. 

 

My Portscan from here at work right now shows 25, 80, 443 and 993 open but I can guarantee only 25 and 993 are open for in/out Email access. I am scanning the internal static ip, not the Gateway static IP of the router. 

When I get home if still needed I will gladly paste what my ASA says but I am also the one who configured it and never would I have had reason to open those 2 other ports. 

BasicToplogy.jpg

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to fbeye

‎07-01-2020 12:56 PM

As per your description, it should not show other than the port you allowed in ACL for Static NAT translation. ( Do you have ACL also after NAT - which is allowed only required ports ?)

 

As I have suggested, have you scanned internally against the server to confirm it only responding to the port you intended to respond?

 

honestly, we do scan for audit purpose, never come across this issue.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

fbeye
Level 4
Level 4
In response to balaji.bandi

‎07-01-2020 02:45 PM

When I get home I will indeed verify what you ask, as well as test locally on the network.

As far as an ACL past the NAT, I do not as only 1 PC, A Linux Server, is connected but I suppose the idea would be an IPTABLES on the Linux Server, which I do not as I am using the ACL on the 5508 to control incoming. With that said, I can not imagine how that would matter especially when that Server does not and never does run an Http server.

I will get back. ty
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents