RE: False results to DMZ

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: [fw-wiz] False results to DMZ

> First off, the DMZ is setup with virtual interfaces (PIX), and the
scanning source is 
> inside. The firewall allows anything IP from this scanner. If I scan most
of the DMZ's, I 
> get normal results, with all of the scans.
> Using NMAP, If I scan one specific DMZ, I only get results with the SYN
scan and TCP window 
> scans, AND it says every port is open (what the firewall allows). Cisco
support is not being > helpful. Does anyone have any idea why this is? It's
weird. Im trying to automate Nessus 
> against the DMZ servers, and its giving too many false positives about
open ports.
> I have taken packet traces, and the only thing weird is that I am getting
an ACK back for 
> eveyr port, but they are Zero Window (TCP Window Scan brings back every
port open).
> Any ideas?


Can you post a sanitized version of your PIX config?  Specifically I'm
wondering about sysopt proxy arp and static/global nat settings.  If you
scan with nmap -sT (full TCP connect() scan) do you get correct results?

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards