Security Basics mailing list archives

Open Ports on Cisco Router

From: bob bob <bb88011 () yahoo com>
Date: Fri, 25 Mar 2005 10:33:56 -0800 (PST)

I have a Cisco 1720 router that showed telnet open
after a recent audit.  I closed down telnet by
applying an acl to the vty lines and then nmap'ed from
the outside to verify.  Telnet is indeed closed, but
other ports appeared open now!  What's more, different
ports appear open when scanning at different times. 
It showed tcp ports 21, 25 and 80 open at one time,
but in another scan showed 143 in addition to the
above. Late in the evening, it showed none of the
above open, but a range of ports starting around 8000.
 No UDP ports show open.  

I ran nmap with the following command:

nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D

Here is a portion of the router config:

version 12.3

. . .
ip subnet-zero
no ip source-route

. . .
interface FastEthernet0
  ip address 10.0.0.1 255.255.255.0
  ip nat outside
  speed auto
  half-duplex
!
interface Serial0
  ip address A.B.C.D 255.255.255.252
  ip access-group filter_outside_in in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no nat outside
  no fair-queue
  no cdp enable
!
ip nat inside source list 10 interface Serial0
overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server

. . .

ip access-list extended filter_outside_in
  deny ip 10.0.0.0 0.255.255.255 any
  deny ip 127.0.0.0 0.255.255.255 any
  deny ip 172.16.0.0 0.15.255.255 any
  deny ip 224.0.0.0 15.255.255.255 any
  deny ip host 0.0.0.0 any
  deny icmp any timestamp-request
  deny icmp any redirect
  deny icmp any mask-request
  deny icmp any traceroute
  deny icmp any echo
  permit ip any any
access-list 10 permit 10.0.0.0 0.0.0.255
----------------------------------------

So, the router is NAT'ing, and, btw, it also has a
firewall behind it.  The ports that show up in the
scans of the router match up very well with the ports
used regularly at this location, so I thought it might
have something to do with NAT dynamically openning
ports.  However, it still seems very strange to me and
I wanted to know if anyone else has seen this behavior
and what explains it.  TIA!

Bob



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

Current thread:

Open Ports on Cisco Router bob bob (Mar 28)
- Re: Open Ports on Cisco Router Vladamir (Mar 29)
- <Possible follow-ups>
- RE: Open Ports on Cisco Router adisegna (Mar 29)
- RE: Open Ports on Cisco Router bob bob (Mar 29)