Solved: Block port 5061

shahid_duet · ‎02-19-2014

hi,

My router is cisco 3845. router 5061 port is open and i m not using any vice. so i want stop it.

How i do it ???

shahid

John Blakley · ‎02-20-2014

You would need an acl on the interface that you're seeing it open on or configure cbac/zbfw. Without knowing what you have in place, let's assume that you want to shut only this port down and allow everything else:

access-list 100 deny tcp any any eq 5061

access-list 100 permit ip any any

int

ip access-group 100 in

This is assuming that 5061 is using tcp. If it also uses udp, you could add "deny udp any any eq 5061". Make sure that you have the permit ip any any if you're trying to block from inside outbound. There's an implicit deny at the end meaning that if you don't see a "deny ip any any" at the end of the acl, it's still there you just can't see it. When you do the "permit ip any any", it places the "permit" line above the "invisible" deny line. Make sense?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎02-20-2014

You would need an acl on the interface that you're seeing it open on or configure cbac/zbfw. Without knowing what you have in place, let's assume that you want to shut only this port down and allow everything else:

access-list 100 deny tcp any any eq 5061

access-list 100 permit ip any any

int

ip access-group 100 in

This is assuming that 5061 is using tcp. If it also uses udp, you could add "deny udp any any eq 5061". Make sure that you have the permit ip any any if you're trying to block from inside outbound. There's an implicit deny at the end meaning that if you don't see a "deny ip any any" at the end of the acl, it's still there you just can't see it. When you do the "permit ip any any", it places the "permit" line above the "invisible" deny line. Make sense?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

shahid_duet · ‎02-23-2014

Hi Jhon

I have 9 WAN interface and 4 LAN interface. Is it need to bind ACL all interface. ???

Can i doit globally where i can bind ACL only one. /???

Best Regards

Shahid

John Blakley · ‎02-23-2014

You'll need to bind it to all interfaces that you don't want it accessible on. If that's 3 wan and 2 lan interfaces, you would bind it to those.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jeff Van Houten · ‎02-23-2014

5061 is encrypted sip. Are you using sip? Are you using encrypted sip? This URL should help

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-border-element/100446-cube-sip-tls.html#config_steps

Sent from Cisco Technical Support iPad App

shahid_duet · ‎02-23-2014

Hi john

If i use permit ip any any that allows all ip entrance to that interface and its risk i think. If i do not use pemit ip any any i cant ping and telnet to that interface. why ??

I dont want to use permit ip any any. Please clear me the facts.

Thanking You

Shahid

John Blakley · ‎02-24-2014

Shahid,

You need to use permit ip any any when you need to allow all other traffic through. Otherwise, you'll need to allow what you want through like:

deny tcp any any eq 5061

permit icmp any any

permit tcp any any eq 80

permit udp any any 53

etc.

There's the invisible "deny ip any any" at the end of the acl that you can't see. A lot of engineers will put the deny ip any any at the end of the line to remind them that whatever doesn't match the acl will be denied

Jeff makes a very good point, and it was something that I honestly didn't look up before posting. If you're using sip or sip applications like Lync, you may be harming yourself by blocking 5061. How are you able to determine that 5061 was open?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***