Security Basics mailing list archives
RE: Open Ports on Cisco Router
From: <adisegna () siscocorp com>
Date: Mon, 28 Mar 2005 14:26:09 -0500
What kind of traffic do you want to allow through this interface? It's a better practice to block everything and open up holes as you need them. Unless, of course this is a perimeter router (at the edge of your network) which is in front of an application level firewall. access-list 100 deny ip 172.16.0.0 0.0.255.255 any log access-list 100 deny ip host 127.0.0.1 any log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log access-list 100 deny ip 192.168.0.0 0.0.255.255 any log access-list 100 deny tcp any any eq telnet log access-list 100 deny icmp any host public.ip.address.of.external.interface access-list 100 deny icmp any host public.ip.firewall.interface access-list 100 deny tcp any any eq 135 log access-list 100 deny tcp any any eq 139 log access-list 100 deny tcp any any eq 137 log access-list 100 deny udp any any eq netbios-ns log access-list 100 deny udp any any eq netbios-dgm log access-list 100 deny tcp any any eq 445 log access-list 100 deny tcp any any eq 0 log access-list 100 permit ip any any log AD Information Technology Group Security Identification Systems Corporation -----Original Message----- From: bob bob [mailto:bb88011 () yahoo com] Sent: Friday, March 25, 2005 1:34 PM To: security-basics () securityfocus com Subject: Open Ports on Cisco Router I have a Cisco 1720 router that showed telnet open after a recent audit. I closed down telnet by applying an acl to the vty lines and then nmap'ed from the outside to verify. Telnet is indeed closed, but other ports appeared open now! What's more, different ports appear open when scanning at different times. It showed tcp ports 21, 25 and 80 open at one time, but in another scan showed 143 in addition to the above. Late in the evening, it showed none of the above open, but a range of ports starting around 8000. No UDP ports show open. I ran nmap with the following command: nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D Here is a portion of the router config: version 12.3 . . . ip subnet-zero no ip source-route . . . interface FastEthernet0 ip address 10.0.0.1 255.255.255.0 ip nat outside speed auto half-duplex ! interface Serial0 ip address A.B.C.D 255.255.255.252 ip access-group filter_outside_in in no ip redirects no ip unreachables no ip proxy-arp no nat outside no fair-queue no cdp enable ! ip nat inside source list 10 interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0 no ip http server . . . ip access-list extended filter_outside_in deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip host 0.0.0.0 any deny icmp any timestamp-request deny icmp any redirect deny icmp any mask-request deny icmp any traceroute deny icmp any echo permit ip any any access-list 10 permit 10.0.0.0 0.0.0.255 ---------------------------------------- So, the router is NAT'ing, and, btw, it also has a firewall behind it. The ports that show up in the scans of the router match up very well with the ports used regularly at this location, so I thought it might have something to do with NAT dynamically openning ports. However, it still seems very strange to me and I wanted to know if anyone else has seen this behavior and what explains it. TIA! Bob __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Current thread:
- Open Ports on Cisco Router bob bob (Mar 28)
- Re: Open Ports on Cisco Router Vladamir (Mar 29)
- <Possible follow-ups>
- RE: Open Ports on Cisco Router adisegna (Mar 29)
- RE: Open Ports on Cisco Router bob bob (Mar 29)