cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9443
Views
5
Helpful
19
Replies
Highlighted
Beginner

Closing Ports 2001,4001,6001 and 9001

Our security department wants me to close tcp ports 2001,4001,6001 and 9001.  Below is part of my configuration

Interface Fastethernet0/0

IP address X.X.X.x

ip access-group control out

ip access-list extended control

deny tcp any any eq 2001

deny tcp any any eq 4001

deny tcp any any eq 6001

deny tcp any any eq 9001

permit any any

When they do a scan outside the company network is still shows up open.  I have tried both a ip access-group in and out and it never seems to hit the ACL.  The scan being done is on the f0/0 ip address.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

ehh, I'd say you're trying to put the ACL on wrong interface, your Outside, or WAN interface is seemed to be s0/0/0:

interface s0/0/0

ip address 8.9.10.11 X.x.x.x

encapsulation PPP

try to put acl "pci" as inbound onto that interface.

View solution in original post

19 REPLIES 19
Highlighted
Hall of Fame Guru

Tracy

Perhaps it would be helpful to start with a small review of how tcp ports work. When someone runs a scan against certain ports then the scan software send a tcp packet with that port number as the destination port. If that port is active/open on the subject device then the subject device sends a response and that port number is the source port.

There are two problems with the way that you have written and applied the access list. You have written the access list to look for the ports that you are interested in as the destination ports. But when you apply the access list as outbound then those ports would be acting as the source port. The second problem is that when you apply an access list outbound then it will filter traffic that is transit through the router but it will not filter traffic that is generated by the router itself.

The solution to the problem is pretty simple. If you take the access list as you have written it and apply it inbound on the interface where the scan is received then the access list will work and will accomplish what you want.

HTH

Rick

HTH

Rick
Highlighted

Thanks for the information Richard, however I already tried an ACL with the following:

ip access-list extended control1

deny tcp any eq 2001 any

deny tcp any eq 4001 any

deny tcp any eq 6001 any

deny tcp any eq 9001 any

permit any any

interface f0/0

ip access-group extended control1

I can see traffic hit the permit any any but nothing on the deny statements and the ports still show open.

Highlighted

Sorry the command on the f0/0 is

ip access-group control1 in

Highlighted

Tracy

If the scan is being received on interface Fast0/0 then use the original version of your access list (control rather than control1) and apply it inbound:

ip access-group control in

HTH

Rick

HTH

Rick
Highlighted

The access list I added was:

ip access-list extended pci

deny tcp any any eq 2001

deny tcp any any eq 4001

deny tcp any any eq 6001

deny tcp any any eq 9001

permit ip any any

interface f0/0

ip access-group pci in

I can see the permit any go up but nothing on the deny's.  I have the person scan and the ports are still open.  Any other suggestions?

Highlighted

Hi

Question

what is the hardware and software ?

what is  the ip address you are scanning ? (is it the interface address of the unit or an address behind it )

Highlighted

The router is a 2800 running file 2800-nm-advsecurityk9-mz.124-25b.bin.

The interface is the f0/0 IP address that someone is running an Nmap from outside our company.

Highlighted
Enthusiast

Hi Tracy,

you said "The scan being done is on the f0/0 ip address." you mean the scanner tries the IP address of your router?

or do you mean that scanner is sitting behind f0/0?  On which port and which direction the scaner's requests are coming?

Highlighted

Sorry for the confusion,

The Public IP address on the f0/0 of the router is what the person is scanning.  They are coming from outside the company so they are not behind the f0/0.   I don't know where they are coming from, just a public ip address from the Internet scanning ports 2001,4001,6001 and 9001.

Any help would be great since I need these close for PCI

Highlighted

ok, you mean the f0/0 point to outside, and from that "outside" the requests are coming?

May I ask how have you configured the router so thst it answers if somebody tries to connect to its IP to the ports 2001 4001 6001 and 9001? I mean per-default those ports are not opened on a router, there is no any services which are listening those ports.

do you use a NAT?

you configuration should actually perfectly work:

ip access-list extended pci

deny tcp any any eq 2001

deny tcp any any eq 4001

deny tcp any any eq 6001

deny tcp any any eq 9001

permit ip any any

interface f0/0

ip access-group pci in

Highlighted

so these are ports open on your router interface, or a ip address that is natted in from an address on the iprange of the "outside" interface.

so if you change the ip access group to inspect traffic inbound instead of outbound that should do the trick.

ip access-group control out

should be changed to

ip access-group control in

good luck

HTH

Highlighted

Most of the ports mentioned are involved in the operation of reverse telnet (aka terminal server functions). So perhaps we should ask if there is any reverse telnet function configured on this router.

Several of us agree that the "control" access list applied inbound should work. But apparently it does not. So there must be some aspect of the router environment that we do not understand sufficiently. Can you post the configuration of the router (hiding any public addresses by changing them to corresponding reserved private addresses - so if your address were actually 23.1.2.3 it would show up as 10.1.2.3).

HTH

Rick

HTH

Rick
Highlighted

The shorten version of the configuration is below, I guess I am question the service tcp-keepalives in and out

service tcp-keepalives-in

service tcp-keealives-out

service timestamps

service compress-config

logging buffered

aaa-new model

aaa session-id common

no ip source-route

ip cef

ip auth-proxy

ip admission max

ip ssh version 2

interface f0/0

ip address 2.3.4.5 X.x.x.x secondary

ip address 6.7.8.9 X.x.x.x

ip access-group control out

ip access-group pci in

interface s0/0/0

ip address 8.9.10.11 X.x.x.x

encapsulation PPP

no ip http server

ho ip http secure-server

ip access-list extended pci

deny tcp any any eq 2001

deny tcp any any eq 4001

deny tcp any any eq 6001

deny tcp any any eq 9001

permit ip any any

ip access-list extended control

deny tcp any any eq 2001 log

deny tcp any any eq 4001 log

deny tcp any any eq 6001 log

deny tcp any any eq 9001 log

permit ip any any

no ip gratuitous-arps

The scan is being down from the Internet and scanning 2.3.4.5.

Thanks for the help

Highlighted

I took the service tcp-keepalives in and out off and still the same response so that is not it.

Content for Community-Ad