Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: Maybe bug, with -sP und ASA sending RST for denied networks
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Wed, 24 Oct 2007 14:59:36 -0400

Hm. If "ASA" refers to the Cisco Adaptive Security Appliance, there is a
possible explanation - whoever configured the device enabled the
"service resetinbound" option:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.
html#wp1348346

The ICMP probe might then be dropped, and the probe to 80/tcp replied
with an RST. Hard then to determine what is going on just by looking at
a packet capture and with no additional info. My money would be on
"resetinbound" plus ACL dropping ICMP echo request. But it could also be
that the ruleset drops indeed ICMP echo request, but has an entry that
says "permit tcp any host X" - and host X isn't actually listening on
80/tcp.

Dario
 

-----Original Message-----
From: nmap-dev-bounces () insecure org 
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Fyodor
Sent: Monday, October 22, 2007 7:47 PM
To: Pluto
Cc: nmap-dev () insecure org
Subject: Re: Maybe bug, with -sP und ASA sending RST for 
denied networks

On Thu, Oct 18, 2007 at 11:22:01AM +0200, Pluto wrote:
  Salve,

  maybe old stuff, just happened to me and can't find 
something in the docs
or elsewhere. When dong the -sP with an ASA in between you 
and the target,
the tcp-syn on port 80 will be answered by a RST from the 
ASA, thereby making
nmap think the host is responding and alive. Of course the 
results of such
a scan are basically useless then.

  Would it be possible to ignore RST in such a szenario? Or 
have a command
line switch to trigger this?

That can be a problem with port 80.  You may want to try a different
type of ping scan (such as ICMP only) or change the TCP ping probe
port(s).

-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]