Open Ports on Cisco Router
From: bob bob (bb88011_at_yahoo.com)
Date: 03/25/05
- Previous message: Charlie Winckless: "RE: GIAC Dilution"
- Next in thread: Vladamir: "Re: Open Ports on Cisco Router"
- Reply: Vladamir: "Re: Open Ports on Cisco Router"
- Maybe reply: adisegna_at_siscocorp.com: "RE: Open Ports on Cisco Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Mar 2005 10:33:56 -0800 (PST) To: security-basics@securityfocus.com
I have a Cisco 1720 router that showed telnet open
after a recent audit. I closed down telnet by
applying an acl to the vty lines and then nmap'ed from
the outside to verify. Telnet is indeed closed, but
other ports appeared open now! What's more, different
ports appear open when scanning at different times.
It showed tcp ports 21, 25 and 80 open at one time,
but in another scan showed 143 in addition to the
above. Late in the evening, it showed none of the
above open, but a range of ports starting around 8000.
No UDP ports show open.
I ran nmap with the following command:
nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D
Here is a portion of the router config:
version 12.3
. . .
ip subnet-zero
no ip source-route
. . .
interface FastEthernet0
ip address 10.0.0.1 255.255.255.0
ip nat outside
speed auto
half-duplex
!
interface Serial0
ip address A.B.C.D 255.255.255.252
ip access-group filter_outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
no nat outside
no fair-queue
no cdp enable
!
ip nat inside source list 10 interface Serial0
overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
. . .
ip access-list extended filter_outside_in
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any timestamp-request
deny icmp any redirect
deny icmp any mask-request
deny icmp any traceroute
deny icmp any echo
permit ip any any
access-list 10 permit 10.0.0.0 0.0.0.255
----------------------------------------
So, the router is NAT'ing, and, btw, it also has a
firewall behind it. The ports that show up in the
scans of the router match up very well with the ports
used regularly at this location, so I thought it might
have something to do with NAT dynamically openning
ports. However, it still seems very strange to me and
I wanted to know if anyone else has seen this behavior
and what explains it. TIA!
Bob
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
- Previous message: Charlie Winckless: "RE: GIAC Dilution"
- Next in thread: Vladamir: "Re: Open Ports on Cisco Router"
- Reply: Vladamir: "Re: Open Ports on Cisco Router"
- Maybe reply: adisegna_at_siscocorp.com: "RE: Open Ports on Cisco Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
