I'm running nmap traversing the ASA. With this service-policy, nmap shows all ports open:
++++++++++++++++++++++++++++++++++++++ policy-map global_policy class class-default set connection embryonic-conn-max 15 per-client-embryonic-max 3 service-policy global_policy global ++++++++++++++++++++++++++++++++++++++ My setup: Nmap---Outside---ASA---Inside---R4 Without the "set connection" option, I get the expected behavior: ++++++++++++++++++++++++++++++++++++++ amsoares@server2:~$ nmap 4.4.4.4 Starting Nmap 5.00 ( http://nmap.org ) at 2011-05-19 19:47 CEST Interesting ports on 4.4.4.4: Not shown: 999 closed ports PORT STATE SERVICE 23/tcp open telnet Nmap done: 1 IP address (1 host up) scanned in 21.22 seconds amsoares@server2:~$ ++++++++++++++++++++++++++++++++++++++ Now with that "set connection" option, I get all ports open, no matter if the destination IP is up or down. Is this an ASA problem ? I understand that I'm killing the port scanning with the "set connection" option but I would expect to get all ports closed and not open. For some reason, the ASA sends back the SYN/ACK even if the destination IP is down. The ASA is running 8.2.1. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt http://www.ccie18473.net _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com