Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
0
Helpful
4
Replies

CSM listening on non-configured ports

Go to solution
hussainmo
Level 1
Level 1

‎08-16-2007 01:48 AM

Hi,

I was testing the CSM for deployment in our SCZ with our security team. During the testing we did a port scan on a vserver on port 80 and what we found out was that the same VIP was also responding on port 25 and 143. Can someone has an idea why would that be the case and if there was a way of fixing this behaviour.

I am attaching the port scan testing report to the post.

Thanks,

Murtaza

Labels:
6494-Tenable Nessus Security Report.mht
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to hussainmo

‎08-16-2007 09:47 AM

I tested your config in the lab and there was no response on port 25 and 143.

Are you sure this is the full config ?

Do you have a sniffer trace of the test ?

[capture the portchannel]

Gilles.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎08-16-2007 07:08 AM

we'll need the csm config to answer your question.

The first idea is that you have another vserver which is not specific to tcp port 80 and the CSM uses this vserver to forward the traffic.

But we can only confirm with the csm config.

Gilles.

0 Helpful

Go to solution
hussainmo
Level 1
Level 1
In response to Gilles Dufour

‎08-16-2007 07:12 AM

Hello,

This is the config.

Thanks,

Murtaza

Router#sh run mod 1

Building configuration...

Current configuration : 716 bytes

module ContentSwitchingModule 1

variable REAL_SLOW_START_ENABLE 2

variable ROUTE_UNKNOWN_FLOW_PKTS 1

!

ft group 42 vlan 402

priority 200 alt 100

preempt

!

vlan 202 server

ip address 192.168.202.3 255.255.255.0

route 0.0.0.0 0.0.0.0 gateway 192.168.202.1

alias 192.168.202.4 255.255.255.0

!

natpool TEST_NAT 192.168.202.250 192.168.202.250 netmask 255.255.255.0

!

probe TEST tcp

interval 15

retries 2

failed 30

open 2

!

real TEST123

address 192.168.202.101

inservice

!

serverfarm TEST

nat server

nat client TEST_NAT

real name TEST123 80

inservice

probe TEST

!

vserver TEST

virtual 192.168.202.250 tcp www

serverfarm TEST

persistent rebalance

inservice

!

end

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to hussainmo

‎08-16-2007 09:47 AM

I tested your config in the lab and there was no response on port 25 and 143.

Are you sure this is the full config ?

Do you have a sniffer trace of the test ?

[capture the portchannel]

Gilles.

0 Helpful

Go to solution
hussainmo
Level 1
Level 1
In response to Gilles Dufour

‎08-20-2007 06:02 AM

Hello,

The config is complete but I don't have a sniffer trace. If you can't see the issue in the lab than it might have been a false alarm on the tool.

Many thanks for your help.

-Murtaza

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card