[c-nsp] Nmap(way ot)

nevot r.nevot at gmail.com
Wed May 4 17:07:54 EDT 2005


What do you mean when you say 'most cisco routers do proxy arp by
default'? in what cases do you mean?
normally, it is not the default behaviour, afaik. Proxy ARP in your
watchguard catches the ARP query for the router IP, returning its MAC,
and all packets from nmap are in fact directed to the watchguard at
level 2 (ethernet).
When you do nmap to the outside, not to the router, the packets are
directed to the internal interface of the watchguard, because its MAC
is the assigned in internal lan for the IP of the default gateway. As
these packets are not directed to this IP, the watchguard puts them in
the external intreface directed to the real routers, packets are
routed as usual, and the responses are ok.
The nmap gives you the information of the watchguard because in fact
the watchguard responses to the MAC of the IP of the router.

I don't know the FB III model, so I can guess nothing about it.
Regards


2005/5/4, Kern, Tom <tkern at charmer.com>:
> Thats just a generic explanation of proxy arp. it doesn't explain how the WG implementation would "break" nmap.
> If proxy arp was causing this then i couldn't use nmap behind a cisco router, which isn't the case.
> just replying on a devices behalf would its own mac address shouldn't produce the effect of namp thinking it was scanning the replying or proxy arping device.
> according to WG, it just forwrds the packets on to the destination device without rewriting anything in the packet.
> also, this never occured with the FB III model which did proxy arp as well in drop in mode.
> i think there is something else going on.
> thanks for all your help
> 
> 
> nevot wrote:
> > then the router is not directly connected, and if the router is in the
> > same subnet (IP level) than the hosts, proxy arp is working, AFAIK,
> > http://www.watchguard.com/glossary/p.asp?s=print (look for proxy arp)
> >
> > sure you'll find more documentation in watchguard's website
> >
> > 2005/5/4, Kern, Tom <tkern at charmer.com>:
> >> internet router is connected via a crossover cable to the "external"
> >> int of the  watchguard. the "trusted" int of the wg is connected to
> >> a cisco cat 4500 switch. host i'm nmaping from is connected to the
> >> same switch.
> >>
> >> i'm not sure how proxy arp would affect this. most cisco routers do
> >> proxy arp by default which means i would be experiencing the same
> >> thing without a wg.
> >>
> >> thanks
> >>
> >>
> >> nevot wrote:
> >>> probably you are using your watchguard doing ARP proxy of your
> >>> router, that is, in the 'inside' part of your network, all ARP
> >>> requests for the IP of your router are responsed by the watchguard,
> >>> and your router is in an 'outside' part. can you describe the
> >>> physical connections and the IPs on you network?
> >>>
> >>> 2005/5/4, Kern, Tom <tkern at charmer.com>:
> >>>> As you write, nmap works on a variety of ports and protocols so an
> >>>> http proxy would just see http headers and traffic not the
> >>>> smtp,ftp,ldap,etc ports nmap is working on, so I don't think that
> >>>> would be the case. And also, I probably should of said this first,
> >>>> the watchguard I'm running is NOT running an http proxy. Its only
> >>>> running an incoming smtp proxy rule.
> >>>> All the rest are stateful packet filters.
> >>>>
> >>>> Thanks
> >>>> --------------------------
> >>>> Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>>
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>



More information about the cisco-nsp mailing list