03-17-2011 05:44 AM - edited 03-09-2019 11:27 PM
Hello
I've encountered with problem that Cisco Security Agent unable to close port TCP/135 on windows PC (XP or Win7).
I've configured rule module Network Access Control to prevent all client/server connections to port tcp/135.
I've checked my policy using nmap, so this port (TCP/135) during 20 minutes shows as filtered and i can see log in monitor event on CSA MC, during next 20 minutes it show as opened and no log shows. (time not exact, so it maybe 30 minutes or 5,it varies)
Can anyone explain how TCP/135 works and is it possible to close it using CSA?
Thanks in advance
Solved! Go to Solution.
03-25-2011 03:30 AM
There is another question for the same issue on the forums (see: CSA 6.0.2.145 problem with windows 7 firewall). I wrote:-
"I went ahead and tested this in the lab with winXP and CSA 602-149 (latest). I defined a rule with DENY tcp/135 and ran the nmap and it reports opened (wireshark shows syn-ack to the syn). I changed it to a PRIORITY DENY and now the nmap reports closed (wireshark shows reset to the syn). Via the cli, netstat -an shows the pc listening on tcp/135 & disabling CSA the syn gets the syn-ack response. To me this implies a couple of defect. 1: The DENY should block syn to tcp135 & 2: CSA should not send reset (it should be reset). Is it possible to open a TAC case and put my name (mwinnett) in it and I will open a defect."
Matthew
03-25-2011 03:30 AM
There is another question for the same issue on the forums (see: CSA 6.0.2.145 problem with windows 7 firewall). I wrote:-
"I went ahead and tested this in the lab with winXP and CSA 602-149 (latest). I defined a rule with DENY tcp/135 and ran the nmap and it reports opened (wireshark shows syn-ack to the syn). I changed it to a PRIORITY DENY and now the nmap reports closed (wireshark shows reset to the syn). Via the cli, netstat -an shows the pc listening on tcp/135 & disabling CSA the syn gets the syn-ack response. To me this implies a couple of defect. 1: The DENY should block syn to tcp135 & 2: CSA should not send reset (it should be reset). Is it possible to open a TAC case and put my name (mwinnett) in it and I will open a defect."
Matthew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: