12-24-2023 11:33 PM
Hi All,
If need to nmap scan for security
Can i some ACL command for permit nmap scan to ASA for tcp22/443.
Ex.
access-list NMAPSCAN extended permit ip host <ip-nmap host> host <IP Interface Firewall>
access-group NMAPSCAN in interface <interface-name>
Is it enough ?
12-25-2023 02:15 AM
below example should work for only port 22 and 443
access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq https
access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq ssh
12-25-2023 02:28 AM
Thank you for answer .
Can I use this command ? Is it the result same your answer above ?
access-list NMAPSCAN extended permit ip host <ip-nmap host> host <IP Interface Firewall>
12-25-2023 02:33 AM
Sure you can use this command.
This command allow all traffic (udp tcp and other) between two hosts.
But here the destiantion is FW interface not host connect to FW so
Normal acl effect traffic between host through fw
Control plane acl effect traffic toward the FW interface.
So use acl but use access-group with control plane.
Note:- by defualt all fw dont have any control plane and you allow to connect it' try use nmap without acl' if you failed add this acl with control plane
MHM
12-25-2023 02:39 AM
Okay
You mean use this one
access-list NMAPSCAN extended permit ip host <ip-nmap host> host <IP Interface Firewall>
access-group NMAPSCAN in interface <interface-name>
or
access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq https
access-list XXXX_access_in extended permit tcp host NMAPIP interface (INSIDE or OUTSIDE) eq ssh
access-group XXXX_access_in in interface <interface-name>
AM I corrcet?
12-25-2023 02:45 AM
Check this guide
Check acl to-the-box
MHM
12-26-2023 03:43 AM
For traffic to the firewall interface address, use a control-plane ACL.
Here is an extended example for FMC, FDM (and even ASA):
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide