Nmap Development mailing list archives
Windows nmap -sP vs Cisco Firewall
From: bitgod <bitgod () gmail com>
Date: Mon, 26 Jan 2009 17:20:48 -0600
Nmap Development, I would like to share an issue that I have read some old threads on, but have seen nothing new. Is anyone able to provide an active bug ID for this or explain the symptom otherwise? I apologize ahead of time if my searches have not yielded the existing answers I am looking for. Scenario: Windows Nmap users with latest version get false positives indicating an offline host is actually up when using the "-sP" flag alone behind a Cisco ASA firewall to an outside target, versus Linux Nmap which reports accurate results of the target device beind down with the same nmap command flag. The Cisco ASA debug output indicates that Windows Nmap is sending connectless traffic with the "-sP" flag alone, where as no bad errors are seen from linux nmap with the same flag and destination: ASA-6-106015: Deny TCP (no connection) from 10.x.x.x/63710 to 10.1.1.1/80flags ACK on interface INSIDE ############# Windows Nmap to an offline device: nmap -sP 10.1.1.1 Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-26 17:13 Central Standard Time Host 10.1.1.1 appears to be up. Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds ############# Linux Nmap to an offline device: root@xxx:~# nmap -sP 10.1.1.1 Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2009-01-26 17:12 CST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.151 seconds ############# The work around seems to be adding an addition flag like "-PE", but it doesn't seem that should be required, and I've got a handful of customers complaining a firewall migration to Cisco from a Linux IPtable setup "broke" Windows Nmap. It appears the firewalls are doing their job, where as the older firewalls were not stateful in the same sense, and are stopping a connectionless packet sent from Windows nmap. Any feedback? Thank you! _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Windows nmap -sP vs Cisco Firewall bitgod (Jan 26)
- Re: Windows nmap -sP vs Cisco Firewall Rob Nicholls (Jan 27)
- <Possible follow-ups>
- RE: Windows nmap -sP vs Cisco Firewall Tom Sellers (Jan 26)