can anyone tell me what is the best way (site, software) to scan my pix firewall opened port.
note that my network is very big network and we have many pix firewalls in differnt locations. i tried to make a port scanning though some web sites and the resultes was positive. but the security auditor said that i have many open ports! so how can i make a real deep scanning and what range of ports i have to apply?
If you were trying grc.com, then you would likely find it... of interest... to read grcsucks.com
I suggest you start with nmap .
If you are starting the nmap scans from within your own network, targetting a different part of your network, then you will encounter the issue that you probably have legitimate tunnels and exemptions in place between your subnetworks, and so your scan would not be a good reflection on what an outsider would see.
If you have that large of a network, it might be worth bringing in another connection (e.g., ADSL or cable) that is completely "outside" your regular network, and do the scan from there. Be sure, though, to tell the ISP of your intentions: you don't want them turfing your account because they think you are attacking people. Also, when you are making the arrangements, you need to check what ports the ISP itself blocks: you do not want to be surprised by your scanner telling you a port is closed only to find out later that it is wide open and that it is your ISP that is blocking the port instead of your network firewalls.
For preliminary experiments with nmap, you might be able to start from your home ISP connection.
connect a pc to the outside interface of my firewall directly and try to atack (scan) my inside interface (or network) and see what ports are opend? couse as i know there r some softwares like nessus can do that but i'm not sure if its work or not and how to achive that!
my idea is to depend on a software rather than on a web site test, so i want to install kind of clint/server software like (nessus), then put the clint in an interface and the server in the other interface. then try to hite from outside to in side.
the problem is the clint/server nessus has the only unix version and not windows version. we just use windows!