11-01-2011 09:10 AM - edited 03-04-2019 02:07 PM
Our security department wants me to close tcp ports 2001,4001,6001 and 9001. Below is part of my configuration
Interface Fastethernet0/0
IP address X.X.X.x
ip access-group control out
ip access-list extended control
deny tcp any any eq 2001
deny tcp any any eq 4001
deny tcp any any eq 6001
deny tcp any any eq 9001
permit any any
When they do a scan outside the company network is still shows up open. I have tried both a ip access-group in and out and it never seems to hit the ACL. The scan being done is on the f0/0 ip address.
Solved! Go to Solution.
11-04-2011 07:29 AM
ehh, I'd say you're trying to put the ACL on wrong interface, your Outside, or WAN interface is seemed to be s0/0/0:
interface s0/0/0
ip address 8.9.10.11 X.x.x.x
encapsulation PPP
try to put acl "pci" as inbound onto that interface.
11-01-2011 10:06 AM
Tracy
Perhaps it would be helpful to start with a small review of how tcp ports work. When someone runs a scan against certain ports then the scan software send a tcp packet with that port number as the destination port. If that port is active/open on the subject device then the subject device sends a response and that port number is the source port.
There are two problems with the way that you have written and applied the access list. You have written the access list to look for the ports that you are interested in as the destination ports. But when you apply the access list as outbound then those ports would be acting as the source port. The second problem is that when you apply an access list outbound then it will filter traffic that is transit through the router but it will not filter traffic that is generated by the router itself.
The solution to the problem is pretty simple. If you take the access list as you have written it and apply it inbound on the interface where the scan is received then the access list will work and will accomplish what you want.
HTH
Rick
11-02-2011 12:29 PM
Thanks for the information Richard, however I already tried an ACL with the following:
ip access-list extended control1
deny tcp any eq 2001 any
deny tcp any eq 4001 any
deny tcp any eq 6001 any
deny tcp any eq 9001 any
permit any any
interface f0/0
ip access-group extended control1
I can see traffic hit the permit any any but nothing on the deny statements and the ports still show open.
11-02-2011 12:33 PM
Sorry the command on the f0/0 is
ip access-group control1 in
11-02-2011 02:37 PM
Tracy
If the scan is being received on interface Fast0/0 then use the original version of your access list (control rather than control1) and apply it inbound:
ip access-group control in
HTH
Rick
11-03-2011 02:22 PM
The access list I added was:
ip access-list extended pci
deny tcp any any eq 2001
deny tcp any any eq 4001
deny tcp any any eq 6001
deny tcp any any eq 9001
permit ip any any
interface f0/0
ip access-group pci in
I can see the permit any go up but nothing on the deny's. I have the person scan and the ports are still open. Any other suggestions?
11-03-2011 02:36 PM
Hi
Question
what is the hardware and software ?
what is the ip address you are scanning ? (is it the interface address of the unit or an address behind it )
11-03-2011 02:41 PM
The router is a 2800 running file 2800-nm-advsecurityk9-mz.124-25b.bin.
The interface is the f0/0 IP address that someone is running an Nmap from outside our company.
11-03-2011 02:44 PM
Hi Tracy,
you said "The scan being done is on the f0/0 ip address." you mean the scanner tries the IP address of your router?
or do you mean that scanner is sitting behind f0/0? On which port and which direction the scaner's requests are coming?
11-03-2011 02:50 PM
Sorry for the confusion,
The Public IP address on the f0/0 of the router is what the person is scanning. They are coming from outside the company so they are not behind the f0/0. I don't know where they are coming from, just a public ip address from the Internet scanning ports 2001,4001,6001 and 9001.
Any help would be great since I need these close for PCI
11-03-2011 03:16 PM
ok, you mean the f0/0 point to outside, and from that "outside" the requests are coming?
May I ask how have you configured the router so thst it answers if somebody tries to connect to its IP to the ports 2001 4001 6001 and 9001? I mean per-default those ports are not opened on a router, there is no any services which are listening those ports.
do you use a NAT?
you configuration should actually perfectly work:
ip access-list extended pci
deny tcp any any eq 2001
deny tcp any any eq 4001
deny tcp any any eq 6001
deny tcp any any eq 9001
permit ip any any
interface f0/0
ip access-group pci in
11-03-2011 03:22 PM
so these are ports open on your router interface, or a ip address that is natted in from an address on the iprange of the "outside" interface.
so if you change the ip access group to inspect traffic inbound instead of outbound that should do the trick.
ip access-group control out
should be changed to
ip access-group control in
good luck
HTH
11-03-2011 07:25 PM
Most of the ports mentioned are involved in the operation of reverse telnet (aka terminal server functions). So perhaps we should ask if there is any reverse telnet function configured on this router.
Several of us agree that the "control" access list applied inbound should work. But apparently it does not. So there must be some aspect of the router environment that we do not understand sufficiently. Can you post the configuration of the router (hiding any public addresses by changing them to corresponding reserved private addresses - so if your address were actually 23.1.2.3 it would show up as 10.1.2.3).
HTH
Rick
11-04-2011 06:45 AM
The shorten version of the configuration is below, I guess I am question the service tcp-keepalives in and out
service tcp-keepalives-in
service tcp-keealives-out
service timestamps
service compress-config
logging buffered
aaa-new model
aaa session-id common
no ip source-route
ip cef
ip auth-proxy
ip admission max
ip ssh version 2
interface f0/0
ip address 2.3.4.5 X.x.x.x secondary
ip address 6.7.8.9 X.x.x.x
ip access-group control out
ip access-group pci in
interface s0/0/0
ip address 8.9.10.11 X.x.x.x
encapsulation PPP
no ip http server
ho ip http secure-server
ip access-list extended pci
deny tcp any any eq 2001
deny tcp any any eq 4001
deny tcp any any eq 6001
deny tcp any any eq 9001
permit ip any any
ip access-list extended control
deny tcp any any eq 2001 log
deny tcp any any eq 4001 log
deny tcp any any eq 6001 log
deny tcp any any eq 9001 log
permit ip any any
no ip gratuitous-arps
The scan is being down from the Internet and scanning 2.3.4.5.
Thanks for the help
11-04-2011 07:10 AM
I took the service tcp-keepalives in and out off and still the same response so that is not it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide