RE: Open Ports on Cisco Router

[bob bob <bb88011 () yahoo com>]

It's a border router with a Fortigate firewall behind
it.  That's why I didn't want to write a real firewall
type of ruleset for it.  It's only a 1720, so I don't
want the overhead of reflexive ACLs and I don't think
I really need it since I have a good firewall behind
the router.  Thanks!

Bob

--- adisegna () siscocorp com wrote:
> What kind of traffic do you want to allow through
> this interface? It's a
> better practice to block everything and open up
> holes as you need them.
> Unless, of course this is a perimeter router (at the
> edge of your
> network) which is in front of an application level
> firewall.
>
> access-list 100 deny   ip 172.16.0.0 0.0.255.255 any
> log
> access-list 100 deny   ip host 127.0.0.1 any log
> access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
> log
> access-list 100 deny   ip 192.168.0.0 0.0.255.255
> any log
> access-list 100 deny   tcp any any eq telnet log
> access-list 100 deny   icmp any host
> public.ip.address.of.external.interface
> access-list 100 deny   icmp any host
> public.ip.firewall.interface
> access-list 100 deny   tcp any any eq 135 log
> access-list 100 deny   tcp any any eq 139 log
> access-list 100 deny   tcp any any eq 137 log
> access-list 100 deny   udp any any eq netbios-ns log
> access-list 100 deny   udp any any eq netbios-dgm
> log
> access-list 100 deny   tcp any any eq 445 log
> access-list 100 deny   tcp any any eq 0 log
> access-list 100 permit ip any any log
>
>
>       
>   
>
> AD
> Information Technology Group
> Security Identification Systems Corporation
>  
>
> -----Original Message-----
> From: bob bob [mailto:bb88011 () yahoo com] 
> Sent: Friday, March 25, 2005 1:34 PM
> To: security-basics () securityfocus com
> Subject: Open Ports on Cisco Router
>
> I have a Cisco 1720 router that showed telnet open
> after a recent audit.  I closed down telnet by
> applying an acl to the vty lines and then nmap'ed
> from
> the outside to verify.  Telnet is indeed closed, but
> other ports appeared open now!  What's more,
> different
> ports appear open when scanning at different times. 
> It showed tcp ports 21, 25 and 80 open at one time,
> but in another scan showed 143 in addition to the
> above. Late in the evening, it showed none of the
> above open, but a range of ports starting around
> 8000.
>  No UDP ports show open.  
>
> I ran nmap with the following command:
>
> nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D
>
> Here is a portion of the router config:
>
> version 12.3
>
> . . .
> ip subnet-zero
> no ip source-route
>
> . . .
> interface FastEthernet0
>   ip address 10.0.0.1 255.255.255.0
>   ip nat outside
>   speed auto
>   half-duplex
> !
> interface Serial0
>   ip address A.B.C.D 255.255.255.252
>   ip access-group filter_outside_in in
>   no ip redirects
>   no ip unreachables
>   no ip proxy-arp
>   no nat outside
>   no fair-queue
>   no cdp enable
> !
> ip nat inside source list 10 interface Serial0
> overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0
> no ip http server
>
> . . .
>
> ip access-list extended filter_outside_in
>   deny ip 10.0.0.0 0.255.255.255 any
>   deny ip 127.0.0.0 0.255.255.255 any
>   deny ip 172.16.0.0 0.15.255.255 any
>   deny ip 224.0.0.0 15.255.255.255 any
>   deny ip host 0.0.0.0 any
>   deny icmp any timestamp-request
>   deny icmp any redirect
>   deny icmp any mask-request
>   deny icmp any traceroute
>   deny icmp any echo
>   permit ip any any
> access-list 10 permit 10.0.0.0 0.0.0.255
> ----------------------------------------
>
> So, the router is NAT'ing, and, btw, it also has a
> firewall behind it.  The ports that show up in the
> scans of the router match up very well with the
> ports
> used regularly at this location, so I thought it
> might
> have something to do with NAT dynamically openning
> ports.  However, it still seems very strange to me
> and
> I wanted to know if anyone else has seen this
> behavior
> and what explains it.  TIA!
>
> Bob
>
>
>
>               
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/ 


                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/