RE: False results to DMZ

["David U. Haltinner" <dhaltinner () altaresources com>]

I have tried to use different variations with sysopt proxy arp, and I
have setup manual NAT's for the source machine (Both global nat as well
as static nat gives same results). Doing a packet trace ont he
destinations hsows the correct IP for the source, but it is sending
resets like it should. The source is getting back zerowindow ACK's
isntead of resets. But only the one DMZ. I have compared the setup of
the DMZ's, and they are all the same.




On Mon, 2006-01-23 at 09:33 -0500, Paul Melson wrote:
> -----Original Message-----
> Subject: [fw-wiz] False results to DMZ
>
> > First off, the DMZ is setup with virtual interfaces (PIX), and the
> scanning source is 
> > inside. The firewall allows anything IP from this scanner. If I scan most
> of the DMZ's, I 
> > get normal results, with all of the scans.
> > Using NMAP, If I scan one specific DMZ, I only get results with the SYN
> scan and TCP window 
> > scans, AND it says every port is open (what the firewall allows). Cisco
> support is not being > helpful. Does anyone have any idea why this is? It's
> weird. Im trying to automate Nessus 
> > against the DMZ servers, and its giving too many false positives about
> open ports.
> > I have taken packet traces, and the only thing weird is that I am getting
> an ACK back for 
> > eveyr port, but they are Zero Window (TCP Window Scan brings back every
> port open).
> > Any ideas?
>
>
> Can you post a sanitized version of your PIX config?  Specifically I'm
> wondering about sysopt proxy arp and static/global nat settings.  If you
> scan with nmap -sT (full TCP connect() scan) do you get correct results?
>
> PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards