Solved: Nessus Discovery Scan Vlan IPs

ajg002 · ‎08-12-2024

I have to perform a Nessus Discovery scan on our network devices. On our Catalyst 9300 switch I don't get results back from the Vlan IP addresses however, I do get responses from the devices on each Vlan. I am also not using "ip routing" so, I am trying to ping each Vlan ip address without layer 3. To do this, I've attempted to use a Port ACL on the trunk interface but, I lost connection. I am going to review my ACLs but,

Any suggestions on what needs to be configured to get this to work is appreciated.

Enes Simnica · ‎08-13-2024

Since IP routing isn't enabled on your Catalyst 9300, VLAN interfaces won't respond to pings from outside their VLANs. The SVIs only serve devices within each VLAN. Applying a Port ACL on the trunk interface could block necessary traffic, which might explain the connection loss.

Suggestions:

Enable Layer 3 Routing: If possible, enable IP routing so the switch can route between VLANs, allowing the VLAN interfaces to respond to pings.
Review ACLs: Ensure the ACL isn't blocking ICMP traffic or other necessary protocols that could affect connectivity.
Consider a Layer 3 Device: If enabling routing isn't an option, use a Layer 3 device (like a router) to manage inter-VLAN communication.

These steps should help your Nessus scan get responses from the VLAN IP addresses.

E.S

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

View solution in original post

MHM Cisco World · ‎08-13-2024

please can you elaborate more what you want here

MHM

Enes Simnica · ‎08-13-2024

Since IP routing isn't enabled on your Catalyst 9300, VLAN interfaces won't respond to pings from outside their VLANs. The SVIs only serve devices within each VLAN. Applying a Port ACL on the trunk interface could block necessary traffic, which might explain the connection loss.

Suggestions:

Enable Layer 3 Routing: If possible, enable IP routing so the switch can route between VLANs, allowing the VLAN interfaces to respond to pings.
Review ACLs: Ensure the ACL isn't blocking ICMP traffic or other necessary protocols that could affect connectivity.
Consider a Layer 3 Device: If enabling routing isn't an option, use a Layer 3 device (like a router) to manage inter-VLAN communication.

These steps should help your Nessus scan get responses from the VLAN IP addresses.

E.S

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

ajg002 · ‎08-14-2024

I have been reviewing our router ACLs and it looks like it must be an issues with those. Once, I look into them more I will give you all an update. I really appreciate the suggestions and guidance!!

ajg002 · ‎08-19-2024

After some digging and following the advice of Enes Simnica, I was able to figure out what as going on. It appears a previous tech had setup the switch to act as layer 3 while still using ROAS. I removed the layer 3 setting to include the ip addresses I was trying to scan with Nessus. This allowed me to keep using the switch as layer 2. Finally, I confirmed the ACLs for each vlan on the router. All appears to be working as I wanted.

Thanks for the help!

Enes Simnica · ‎08-19-2024

Happy to help man! I'm glad everything worked out.

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!