Firewall Wizards mailing list archives
RE: False results to DMZ
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 23 Jan 2006 09:33:10 -0500
-----Original Message----- Subject: [fw-wiz] False results to DMZ
First off, the DMZ is setup with virtual interfaces (PIX), and the
scanning source is
inside. The firewall allows anything IP from this scanner. If I scan most
of the DMZ's, I
get normal results, with all of the scans. Using NMAP, If I scan one specific DMZ, I only get results with the SYN
scan and TCP window
scans, AND it says every port is open (what the firewall allows). Cisco
support is not being > helpful. Does anyone have any idea why this is? It's weird. Im trying to automate Nessus
against the DMZ servers, and its giving too many false positives about
open ports.
I have taken packet traces, and the only thing weird is that I am getting
an ACK back for
eveyr port, but they are Zero Window (TCP Window Scan brings back every
port open).
Any ideas?
Can you post a sanitized version of your PIX config? Specifically I'm wondering about sysopt proxy arp and static/global nat settings. If you scan with nmap -sT (full TCP connect() scan) do you get correct results? PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- False results to DMZ David U. Haltinner (Jan 20)
- RE: False results to DMZ Paul Melson (Jan 23)
- RE: False results to DMZ David U. Haltinner (Jan 23)
- <Possible follow-ups>
- RE: False results to DMZ Ralf . Zessin (Jan 24)
- RE: False results to DMZ David U. Haltinner (Jan 24)
- RE: False results to DMZ Paul Melson (Jan 23)