Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21451
Views
5
Helpful
19
Replies

Closing Ports 2001,4001,6001 and 9001

Go to solution
TRACY HARTMANN
Level 1
Level 1

‎11-01-2011 09:10 AM - edited ‎03-04-2019 02:07 PM

Our security department wants me to close tcp ports 2001,4001,6001 and 9001.  Below is part of my configuration

Interface Fastethernet0/0

IP address X.X.X.x

ip access-group control out

ip access-list extended control

deny tcp any any eq 2001

deny tcp any any eq 4001

deny tcp any any eq 6001

deny tcp any any eq 9001

permit any any

When they do a scan outside the company network is still shows up open.  I have tried both a ip access-group in and out and it never seems to hit the ACL.  The scan being done is on the f0/0 ip address.

Labels:
0 Helpful
19 Replies 19

Go to solution
Konstantin Dunaev
Level 4
Level 4
In response to TRACY HARTMANN

‎11-04-2011 07:29 AM

ehh, I'd say you're trying to put the ACL on wrong interface, your Outside, or WAN interface is seemed to be s0/0/0:

interface s0/0/0

ip address 8.9.10.11 X.x.x.x

encapsulation PPP

try to put acl "pci" as inbound onto that interface.

0 Helpful

Go to solution
TRACY HARTMANN
Level 1
Level 1
In response to Konstantin Dunaev

‎11-04-2011 08:48 AM

Yep that was the problem, as soon as I added the ACL to the Serial it worked.  Is that because when the traffic comes into the Serial it passes the traffic to the Ethernet via the backplane?

0 Helpful

Go to solution
Konstantin Dunaev
Level 4
Level 4
In response to TRACY HARTMANN

‎11-04-2011 09:05 AM

exactly, if one try to reach the IP address assigned to the LAN interface and the traffic comes in via WAN interface, then ACL, which are applied to the LAN interface will be not processed.

0 Helpful

Go to solution
rn.becker
Level 1
Level 1

‎05-29-2013 03:10 PM

Tracy, I've run into the same thing you are (although I know this is two years after the fact).  I discovered here that the ports we're talking about are related to telnet streams on rotary ports.

Table: TCP Port Telnet Access to Cisco Products (Earlier Releases)
TCP Port Number Access Method

7

Echo

9

Discard

23

Telnet (to virtual terminal VTY ports in rotary fashion)

79

Finger

1993

SNMP over TCP

2001 through 2999

Telnet to auxiliary (AUX) port, terminal (TTY) ports, and virtual terminal (VTY) ports

3001 through 3999

Telnet to rotary ports (access via these ports is only possible if the rotaries have been explicitly configured first with the rotary command)

4001 through 4999

Telnet (stream mode) mirror of 2000 range

5001 through 5999

Telnet (stream mode) mirror of 3000 range (access via these ports is possible only if the rotaries have been explicitly configured first)

6001 through 6999

Telnet (binary mode) mirror of 2000 range

7001 through 7999

Telnet (binary mode) mirror of 3000 range (access via these ports is possible only if the rotaries have been explicitly configured first)

8001 through 8999

Xremote (communication servers only)

9001 through 9999

Reverse Xremote (communication servers only)

10001 through 19999

Reverse Xremote rotary (communication servers only; access via these ports is possible only if the ports have been explicitly configured first)

Digging a little deeper, I discovered that the AUX port on a router is available via TCP.  At the router, execute

     router#show line

In my case on a Cisco 2501 I got:

router#show line

   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int

*    0 CTY              -    -      -    -    -      2       0     0/0       -

     1 AUX   9600/9600  -    -      -    -    -     15       0     0/0       -

     2 VTY              -    -      -    -    -     35       0     0/0       -

     3 VTY              -    -      -    -    -      2       0     0/0       -

     4 VTY              -    -      -    -    -      0       0     0/0       -

     5 VTY              -    -      -    -    -      0       0     0/0       -

     6 VTY              -    -      -    -    -      0       0     0/0       -

More digging around about configuring AUX ports found this article.  It describes how to configure and access the AUX ports via a telnet session.  Basically, you start at 2000, 4000, 6000, or 9000, and then add the line number for the AUX port.  As you can see above, the line number for my AUX port is 1, so if I want to telnet to that port, I would use

router>telnet 10.100.0.254 2001 or 4001 or 6001 or 9001

AUX ports start at AUX 0 and by default these ports are on, even though there may not be anything about them in the configuration.  To turn the AUX port off, you do it the same way as you do with a VTY line.

router#conf t

router(config)#line aux 0

router(config-line)#transport input none

end

copy run start

Go to solution
netstar-sg-service
Level 1
Level 1
In response to rn.becker

‎04-01-2015 11:51 PM

Thanks Dude..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card