[c-nsp] Nmap(way ot)

Church, Chuck cchurch at netcogov.com
Tue May 3 20:43:57 EDT 2005


Tom,

	NMAP fingerprinting works by sending packets of varying
protocols at a target address, and seeing what the response is.  I'm not
sure if this watchguard is a layer 2 or layer 3 device, but if it's
attempting to act like a transparent proxy, if you aim say HTTP packets
through it, it may be intercepting them in an attempt to proxy them,
then responding to the NMAP itself.  Since the Watchguard responded
itself to all the probing, NMAP correctly identifies it, rather than the
real destination on the other side.  At least that's what I think is
happening... 


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kern, Tom
Sent: Tuesday, May 03, 2005 5:05 PM
To: Cisco (E-mail)
Cc: Cisco2 (E-mail)
Subject: [c-nsp] Nmap(way ot)

I was running nmap internally against my cisco 1700 internet router.
i have a watchguard firebox x 1000 sitting between my network and the
internet and router. 
here's the wierd part- everytime i run nmap against the router, i get
the firebox as the os fingerprint and the ports open on the firebox.
i get the same result running nmap against my home network or yahoo.com
or any host.

the firebox will autoblock any ip's doing port scans externally against
your internal network but won't block anything going out so i think this
is very strange.
i was wondering if anyone out there would have an idea as to what the
issue could be.
i know this is OT and i apologize. i'm just stumped.

thanks alot



More information about the cisco-nsp mailing list