Hi Gary, From my experience, testing from an internal network client won't give you meaningful results. Run NMAP on an external network client and run it against the external interface of the ISA Server to get useful results. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Gary Anderson [mailto:gary.anderson@xxxxxxxxxx] Sent: Saturday, December 22, 2001 3:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: NMAP Scanning http://www.ISAserver.org Hi Jim, I saw the hotfix and I did "read the book" on the IP Packet Filter being applied to the external interface. I suspect that the problem is what you said. As I recall, the IP log showed nothing. It did show a lot of blocked packet coming from the outside; nothing from the inside. When the Protocol Rules were "Denied", FW log recorded the blocked transmission. Gary -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Saturday, December 22, 2001 19:46 To: [ISAserver.org Discussion List] Subject: [isalist] Re: NMAP Scanning http://www.ISAserver.org Testing ISA internal interface blocking is not completely useful. ISA will not filter traffic on the internal interface without a particular hotfix (51) and adding the appropriate registry entries. The question you should ask is whether or not ISA actually passed the traffic to the external IP. What's in the IP and FW logs for that scan? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Gary Anderson" <gary.anderson@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, December 22, 2001 10:26 Subject: [isalist] NMAP Scanning http://www.ISAserver.org Has anyone ever run NMAP from inside of an ISA Server network? By this I mean you have an address in the LAT, you are a SecureNAT client and you are scanning a machine on the Internet with a public address. I have done it with the parameters -g53 -sA -T Aggessive -P0 This means Source Port 53 (DNS), TCP ACK, 5 minute scan, no ping. This type of scan should detect unfiltered ports on a intermediate firewall. I'm getting back a whole bunch of unfiltered ports like 110 (POP3). I can understand that if it wasn't for a small thing. I have all Procotol Rules at "Deny". Moreover, when I do a telnet to port 110 on the external machine, the connection is blocked (as I would expect). If I "Allow" the Protocol Rules. I get the same results from the NMAP but I can telnet to port 110 on the external. Why is ISA report ports at "unfiltered" in NMAP when they are "filtered" by protocol rules? The internal versus external interfaces, perhaps? Does anyone have any ideas why these ports would be showing up? Thanks, Gary Anderson ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gary.anderson@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')