Nmap Development mailing list archives

Windows nmap -sP vs Cisco Firewall

From: bitgod <bitgod () gmail com>
Date: Mon, 26 Jan 2009 17:20:48 -0600

Nmap Development,

I would like to share an issue that I have read some old threads on, but
have seen nothing new.  Is anyone able to provide an active bug ID for this
or explain the symptom otherwise?  I apologize ahead of time if my searches
have not yielded the existing answers I am looking for.

Scenario:

Windows Nmap users with latest version get false positives indicating an
offline host is actually up when using the "-sP" flag alone behind a Cisco
ASA firewall to an outside target, versus Linux Nmap which reports accurate
results of the target device beind down with the same nmap command flag.
The Cisco ASA debug output indicates that Windows Nmap is sending
connectless traffic with the "-sP" flag alone, where as no bad errors are
seen from linux nmap with the same flag and destination:

ASA-6-106015: Deny TCP (no connection) from 10.x.x.x/63710 to
10.1.1.1/80flags ACK
on interface INSIDE

#############

Windows Nmap to an offline device:

nmap -sP 10.1.1.1
Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-26 17:13 Central Standard
Time
Host 10.1.1.1 appears to be up.
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

#############

Linux Nmap to an offline device:

root@xxx:~# nmap -sP 10.1.1.1
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2009-01-26 17:12 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try
-P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.151 seconds

#############

The work around seems to be adding an addition flag like "-PE", but it
doesn't seem that should be required, and I've got a handful of customers
complaining a firewall migration to Cisco from a Linux IPtable setup "broke"
Windows Nmap.  It appears the firewalls are doing their job, where as the
older firewalls were not stateful in the same sense, and are stopping a
connectionless packet sent from Windows nmap.

Any feedback?  Thank you!

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Windows nmap -sP vs Cisco Firewall bitgod (Jan 26)
- Re: Windows nmap -sP vs Cisco Firewall Rob Nicholls (Jan 27)
- <Possible follow-ups>
- RE: Windows nmap -sP vs Cisco Firewall Tom Sellers (Jan 26)