Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: RE: Open Ports on Cisco Router

RE: Open Ports on Cisco Router

From: bob bob <bb88011_at_yahoo.com>
Date: Mon, 28 Mar 2005 12:23:21 -0800 (PST)

It's a border router with a Fortigate firewall behind
it. That's why I didn't want to write a real firewall
type of ruleset for it. It's only a 1720, so I don't
want the overhead of reflexive ACLs and I don't think
I really need it since I have a good firewall behind
the router. Thanks!

Bob

--- adisegna_at_siscocorp.com wrote:
> What kind of traffic do you want to allow through
> this interface? It's a
> better practice to block everything and open up
> holes as you need them.
> Unless, of course this is a perimeter router (at the
> edge of your
> network) which is in front of an application level
> firewall.
>
> access-list 100 deny ip 172.16.0.0 0.0.255.255 any
> log
> access-list 100 deny ip host 127.0.0.1 any log
> access-list 100 deny ip 10.0.0.0 0.255.255.255 any
> log
> access-list 100 deny ip 192.168.0.0 0.0.255.255
> any log
> access-list 100 deny tcp any any eq telnet log
> access-list 100 deny icmp any host
> public.ip.address.of.external.interface
> access-list 100 deny icmp any host
> public.ip.firewall.interface
> access-list 100 deny tcp any any eq 135 log
> access-list 100 deny tcp any any eq 139 log
> access-list 100 deny tcp any any eq 137 log
> access-list 100 deny udp any any eq netbios-ns log
> access-list 100 deny udp any any eq netbios-dgm
> log
> access-list 100 deny tcp any any eq 445 log
> access-list 100 deny tcp any any eq 0 log
> access-list 100 permit ip any any log
>
>
>
>
>
> AD
> Information Technology Group
> Security Identification Systems Corporation
>
>
> -----Original Message-----
> From: bob bob [mailto:bb88011_at_yahoo.com]
> Sent: Friday, March 25, 2005 1:34 PM
> To: security-basics_at_securityfocus.com
> Subject: Open Ports on Cisco Router
>
> I have a Cisco 1720 router that showed telnet open
> after a recent audit. I closed down telnet by
> applying an acl to the vty lines and then nmap'ed
> from
> the outside to verify. Telnet is indeed closed, but
> other ports appeared open now! What's more,
> different
> ports appear open when scanning at different times.
> It showed tcp ports 21, 25 and 80 open at one time,
> but in another scan showed 143 in addition to the
> above. Late in the evening, it showed none of the
> above open, but a range of ports starting around
> 8000.
> No UDP ports show open.
>
> I ran nmap with the following command:
>
> nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D
>
> Here is a portion of the router config:
>
> version 12.3
>
> . . .
> ip subnet-zero
> no ip source-route
>
> . . .
> interface FastEthernet0
> ip address 10.0.0.1 255.255.255.0
> ip nat outside
> speed auto
> half-duplex
> !
> interface Serial0
> ip address A.B.C.D 255.255.255.252
> ip access-group filter_outside_in in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no nat outside
> no fair-queue
> no cdp enable
> !
> ip nat inside source list 10 interface Serial0
> overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0
> no ip http server
>
> . . .
>
> ip access-list extended filter_outside_in
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> deny ip host 0.0.0.0 any
> deny icmp any timestamp-request
> deny icmp any redirect
> deny icmp any mask-request
> deny icmp any traceroute
> deny icmp any echo
> permit ip any any
> access-list 10 permit 10.0.0.0 0.0.0.255
> ----------------------------------------
>
> So, the router is NAT'ing, and, btw, it also has a
> firewall behind it. The ports that show up in the
> scans of the router match up very well with the
> ports
> used regularly at this location, so I thought it
> might
> have something to do with NAT dynamically openning
> ports. However, it still seems very strange to me
> and
> I wanted to know if anyone else has seen this
> behavior
> and what explains it. TIA!
>
> Bob
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
>

                
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
Received on Mar 29 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]