Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
3
Helpful
6
Replies

How to permit for nmap scan to ASA

jewfcb001
Level 4
Level 4

‎12-24-2023 11:33 PM

Hi All,

If need to nmap scan for security 
Can i some ACL command for permit nmap scan to ASA for tcp22/443.  
Ex.

access-list NMAPSCAN extended permit ip host <ip-nmap host> host <IP Interface Firewall>
access-group NMAPSCAN in interface <interface-name>

Is it enough ? 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎12-25-2023 02:15 AM

below example should work for only port 22 and 443

access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq https

access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎12-25-2023 02:28 AM

Thank you for answer . 

Can I use this command ? Is it the result same your answer above ?
access-list NMAPSCAN extended permit ip host <ip-nmap host> host <IP Interface Firewall>

MHM Cisco World
VIP
VIP
In response to jewfcb001

‎12-25-2023 02:33 AM

Sure you can use this command.

This command allow all traffic (udp tcp and other) between two hosts.

But here the destiantion is FW interface not host connect to FW so 

Normal acl effect traffic between host through fw

Control plane acl effect traffic toward the FW interface.

So use acl but use access-group with control plane.

Note:- by defualt all fw dont have any control plane and you allow to connect it' try use nmap without acl' if you failed add this acl with control plane 

MHM

jewfcb001
Level 4
Level 4
In response to MHM Cisco World

‎12-25-2023 02:39 AM

Okay 
You mean use this one 
access-list NMAPSCAN extended permit ip host <ip-nmap host> host <IP Interface Firewall>
access-group NMAPSCAN in interface <interface-name>

or 

access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq https
access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq ssh
access-group  XXXX_access_in in interface <interface-name>

AM I corrcet?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-26-2023 03:43 AM

For traffic to the firewall interface address, use a control-plane ACL.

Here is an extended example for FMC, FDM (and even ASA):

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221469-configure-control-plane-access-control-p.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card