04-20-2024 03:49 AM - edited 04-20-2024 03:50 AM
Hello!
I tested PPTP and L2TP VPN solutions, but considered another solution without the Cisco router involved.
I've disabled all the virtual-access and vpdn stuff,
sh run all | i vpdn
returns nothing, but the ports for PPTP and L2TP are still open and control-plane host open-ports confirms that.
How can those services be stopped?
I already try a reload.
15.9(3)M7 on C886VA-W-E-K9
kind regards
Marco
04-20-2024 04:16 AM
Try this
Class-map type port-filter match-all <name>
Match closed-ports
!
Policy-map type port-filter <name>
Class <name>
Drop
!
Control-plane <name>
Service-policy type port-filter input <name>
MHM
04-28-2024 03:39 AM
I've now tried the policy map. It will, like it says, only affect closed ports (and does that), but doesn't affect the open pptp TCP port.
04-20-2024 04:19 AM
but the ports for PPTP and L2TP are still open and control-plane host open-ports confirms that.
how did you tested and confirm porst are open
you can check on the router and post below output here :
show tcp brief all
show control-plane host open-ports
show ip tcp brief
show ip socket
04-20-2024 06:37 AM
router#sh tcp brief all
TCB Local Address Foreign Address (state)
[...]
13Dxyz 0.0.0.0.1723 *.* LISTEN
router#
router#show control-plane host open-ports
udp *:1701 *:0 L2TP-Server LISTEN
tcp *:1723 *:0 PPTP Mgmt LISTEN
[...]
The other commands don't exist on my system.
I prefer to disable the L2TP and PPTP servers instead of creating firewall rulesets and simply answer to any requests with TCP RST or ICMP port unreachable.
04-21-2024 02:00 AM
Hello,
the command 'clear tcp tcb' used to be around, can you give that a try ?
04-22-2024 01:05 AM
13DC87B8 0.0.0.0.1723 *.* LISTEN
router#clear tcp tcb 13DC87B8
[confirm]
%Clear TCP failed: TCB 0x13DC87B8 not found
router#
04-22-2024 01:41 AM
Hello,
what if you use:
clear tcp tcb *
04-22-2024 01:53 AM
That removed the entry in sh tcp brief, but the PPTP server is still running.
04-22-2024 02:02 AM
did you ever try my suggestion ???????????
MHM
04-22-2024 02:24 AM
Not yet, because that looks like a firewall rule. Isn't it a firewll rule?
Such a configuration didn't exist in the past and PPTP server is running since I set up a PPTP VPN. Now I prefer to stop that PPTP server from running instead of configuring a firewall ruleset to deny access to it.
04-22-2024 02:27 AM
This not FW' what we need to make CoPP drop any traffic to closed port
MHM
04-22-2024 04:43 AM
Can you tell me what this exactly does?
Isn't there a way to simply stop the PPTP server from running?
04-22-2024 05:26 AM
Hello,
odd that the service keeps running. Maybe you can just 'wr erase' the entire config, then reload the router, and configure everything from scratch again, with any VPDN stuff ?
04-22-2024 06:37 AM
Check if there is vpdn enable'
Note:- dont use i vpdn
Check config line by line
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide