nmap usage

["dissolved" <dissolved () comcast net>]

How could you nmap a public IP to determine the internal infrastructure?
Would we accomplish this with source port scanning?

Is this (source port scanning) meant to be used only with a ping sweep
switch? I guess I dont understand when you would use this for just a single
port?

Would this be a valid example?
nmap -sP -g20 external_ip range
Here we send a source port of tcp 20 along with the ping switch. This will
get through a non-stateful firewall? If it does get through, will it ping
the entire internal subnet? Is this the purpose behind source port scanning?
To enumerate the internal LAN?

Thanks

-----Original Message-----
From: dissolved [mailto:dissolved () comcast net] 
Sent: Wednesday, June 29, 2005 8:48 PM
To: security-basics () securityfocus com
Subject: Strange response from PIX

Hi all,

> From the DMZ (1.0), I ran an nmap scan (-sA switch) towards the subnet my
PIX protects (192.168.2.0 /24).  I ran a sniffer while doing this, and
noticed the PIX responded with an ip of 10.89.112.1     I dont have a class
A scheme.  Why is this 10.88.112.1 address showing up from the PIX?


05:10:05.232940 IP (tos 0x0, ttl 254, id 39360, offset 0, flags [none],
proto: ICMP (1), length: 56) 10.89.112.1 > 192.168.1.5: ICMP host
192.168.2.1 unreachable - admin prohibited filter, length 36

thanks