06-05-2001 10:28 AM - edited 03-08-2019 08:19 PM
Can anyone tell me why If I have a access list that only allows 80 and 443 to pass thru I can still see all other ports open when I run a penetration software such as Cyber Cop. Is there something that I need to add to keep these ports from Responding ?
06-05-2001 10:38 AM
I am assuming we are talking a PIX here. The PIX closes all ports by default and the only way you could be seeing other open ports is if you have a conduit or access list and group in there that opens them. Make sure you don't have both conduits and access lists because they won't work together. You need to use one or the other. Also look for the key words any any near the end any of your access lists.
Hope this helps.
Bob
06-05-2001 01:35 PM
this is just a 3600 with ACL's on it. This Router is in front of a Firewall.
06-07-2001 12:12 PM
After you create the access-list you have to go into the interface you want to apply it to and apply it as either inbound or outbound on that interface, have you done this?
If so, can you post the access-list and the interface you've applied it to? (removing any public IP's of course :)
Regards,
Thomas
06-08-2001 09:37 AM
I did do that see the list and interfaces below..
interface Serial0/0
ip address x.x.x.x
ip access-group 111 in
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip accounting output-packets
ip nat outside
no ip route-cache
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
access-list 111 deny tcp any any eq 8080 log
access-list 111 deny tcp any any eq 20034 log
access-list 111 deny tcp any any eq 27665 log
access-list 111 deny tcp any any eq 65512 log
access-list 111 deny tcp any any eq 16660 log
access-list 111 deny tcp any any eq 65513 log
access-list 111 deny tcp any any eq 65000 log
access-list 111 deny tcp any any eq 31337 log
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp any host x.x.x.x eq www
access-list 111 permit tcp any host x.x.x.x eq 443
access-list 111 permit tcp host x.x.x.x host x.x.x.x
access-list 111 deny ip x.x.x.x any
access-list 111 deny ip x.x.x.x any
access-list 111 deny ip x.x.x.x any
access-list 111 permit tcp host x.x.x.x any eq bgp
access-list 111 deny icmp any any echo
access-list 111 deny tcp any any log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide