Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
1
Helpful
7
Replies

Blocking inbound access

mramj499
Level 1
Level 1

‎09-21-2023 08:54 AM

Have an ASR1001-X router as Internet router.  Got alert from Security team that ports 2001, 4001 and 9001 are open to the public on its public IP.  Trying to set up an access list on the gig port for the public IP that it blocks those TCP ports.  However, my access list isn't doing the trick, can still open ports 2001, 4001, etc.  Below config for the access list as well as the config for the port.  Any help is appreciated.  Thanks.


interface GigabitEthernet0/0/1
description Link to Firewall
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group 107 in
negotiation auto
cdp enable
end


ASR1001X-RTR#sh access-lists 107
Extended IP access list 107
10 deny ip any host 206.137.102.50 (1 match)
20 deny ip any host 206.137.102.100 (1 match)
30 deny ip any host 206.137.102.200 (1 match)
40 deny tcp any any eq 1433 (1 match)
50 deny tcp any any eq 3389
60 deny tcp any any eq 6001
70 deny tcp any any eq telnet
80 deny tcp any any eq 2001
90 deny tcp any any eq 4001
100 deny tcp any any eq 9001
110 permit ip any any (1183734 matches)

Labels:
0 Helpful
7 Replies 7

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-21-2023 09:23 AM

Did the security team explicitly mention the open ports were only TCP ports?  I.e. what about UDP?

That aside, for an Internet facing interface, often you can start with blocking EVERTHING with the router's IP as the destination IP.  If something legitimate is blocked, add an ACE to allow just it.

Don't misunderstand the forgoing, I'm not suggesting blocking any transit traffic, just all traffic directed to the router's external interface IP.

mramj499
Level 1
Level 1

‎09-21-2023 09:37 AM

I've confirmed it's only TCP that is the problem right now.  Do you see anything wrong with my setup?  It's not actually blocking 2001, 4001, etc.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mramj499

‎09-21-2023 10:25 AM

Are you sure that it is not blocking 2002 or 4001? Is there any proof that this traffic is actually getting into your network? The logic in the ACL looks right to me. The scanning program may say that this traffic is getting to the router interface, but the ACL should be quite effective in making sure that it does not get through into your network.

HTH

Rick
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mramj499

‎09-21-2023 03:34 PM

You've also confirmed the attempt to open those TCP ports is entering that port, i.e. not egressing that port?

0 Helpful

Kanan Huseynli
VIP
VIP

‎09-21-2023 01:28 PM

Hi,

I don't know what tool your infosec uses, but you can do simple telnet to router address with respective ports and see hit counts.

This works for TCP port verification.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

paul driver
VIP
VIP

‎09-22-2023 12:36 AM

Hello
Appending a simple cbac should negate any external initiation of those tcp ports.

Example:
ip access-list extended firewall_acl
permit udp any any eq bootpc
deny ip any any

ip inspect name FW cbac tcp
ip inspect name FW cbac udp
ip inspect name FW cbac icmp

interface GigabitEthernet0/0/1
ip inspect cbac out
ip access-group firewall_acl in




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP

‎09-22-2023 01:12 AM

I send you message check it

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card