RE: [fw-wiz] False results to DMZ

I have tried to use different variations with sysopt proxy arp, and I
have setup manual NAT's for the source machine (Both global nat as well
as static nat gives same results). Doing a packet trace ont he
destinations hsows the correct IP for the source, but it is sending
resets like it should. The source is getting back zerowindow ACK's
isntead of resets. But only the one DMZ. I have compared the setup of
the DMZ's, and they are all the same.




On Mon, 2006-01-23 at 09:33 -0500, Paul Melson wrote:
> -----Original Message-----
> Subject: [fw-wiz] False results to DMZ
>
> > First off, the DMZ is setup with virtual interfaces (PIX), and the
> scanning source is
> > inside. The firewall allows anything IP from this scanner. If I scan most
> of the DMZ's, I
> > get normal results, with all of the scans.
> > Using NMAP, If I scan one specific DMZ, I only get results with the SYN
> scan and TCP window
> > scans, AND it says every port is open (what the firewall allows). Cisco
> support is not being > helpful. Does anyone have any idea why this is? It's
> weird. Im trying to automate Nessus
> > against the DMZ servers, and its giving too many false positives about
> open ports.
> > I have taken packet traces, and the only thing weird is that I am getting
> an ACK back for
> > eveyr port, but they are Zero Window (TCP Window Scan brings back every
> port open).
> > Any ideas?
>
>
> Can you post a sanitized version of your PIX config? Specifically I'm
> wondering about sysopt proxy arp and static/global nat settings. If you
> scan with nmap -sT (full TCP connect() scan) do you get correct results?
>
> PaulM
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: FIREBOX II IP CONFIGURATION
    ... kind of address that is routable to be able to NAT to the Optional interface ... > ips for eache server. ... > I would like to put all SERVERS, NETWORKING EQUIPMENT in the DMZ using ... > OPTIONAL port is a DMZ xone but i still cant figure out how i can map ...
    (comp.security.firewalls)
  • Re: Sky router and DMZ
    ... This has enabled me a flawless service and its how I want my PS3 setup. ... If for example I have the ip address for the ps3 as 192.168.0.99 and have that in the DMZ, what would happen when I run linux on the PS3? ... I would just setup port forwarding and forget about it. ... Im not sure if the PS3 has NAT Type 4 but there is four types of NAT...Full cone NAT, restricted cone NAT, port restricted cone NAT or symmetric NAT. ...
    (uk.telecom.broadband)
  • Re: Linux Router with Firewall
    ... >>or is there any way I can do it without any kind of nat. ... I have a setup with multiple firewalls around my DMZ. ... internal firewall took very little setup, ...
    (Fedora)
  • help with pix inside->outside + dmz->outside + inside->outside->dmz
    ... have this ip setup as the ip address on the outside interface. ... I have the 192.168.0.* routing over my single static ip (nat). ... I also have the dmz functioning as a set of static routes from my /29 ...
    (comp.dcom.sys.cisco)
  • Re: ISPs can easily decrease net abuse
    ... |use NAT with forwarding? ... When one of the inside systems wants to go out, the NAT device has to ... address to as it sends out the packets. ... Suppose the NAT box allocates port ...
    (comp.security.misc)