11-01-2011 09:10 AM - edited 03-04-2019 02:07 PM
Our security department wants me to close tcp ports 2001,4001,6001 and 9001. Below is part of my configuration
Interface Fastethernet0/0
IP address X.X.X.x
ip access-group control out
ip access-list extended control
deny tcp any any eq 2001
deny tcp any any eq 4001
deny tcp any any eq 6001
deny tcp any any eq 9001
permit any any
When they do a scan outside the company network is still shows up open. I have tried both a ip access-group in and out and it never seems to hit the ACL. The scan being done is on the f0/0 ip address.
Solved! Go to Solution.
11-04-2011 07:29 AM
ehh, I'd say you're trying to put the ACL on wrong interface, your Outside, or WAN interface is seemed to be s0/0/0:
interface s0/0/0
ip address 8.9.10.11 X.x.x.x
encapsulation PPP
try to put acl "pci" as inbound onto that interface.
11-04-2011 08:48 AM
Yep that was the problem, as soon as I added the ACL to the Serial it worked. Is that because when the traffic comes into the Serial it passes the traffic to the Ethernet via the backplane?
11-04-2011 09:05 AM
exactly, if one try to reach the IP address assigned to the LAN interface and the traffic comes in via WAN interface, then ACL, which are applied to the LAN interface will be not processed.
05-29-2013 03:10 PM
Tracy, I've run into the same thing you are (although I know this is two years after the fact). I discovered here that the ports we're talking about are related to telnet streams on rotary ports.
TCP Port Number | Access Method |
---|---|
7 | Echo |
9 | Discard |
23 | Telnet (to virtual terminal VTY ports in rotary fashion) |
79 | Finger |
1993 | SNMP over TCP |
2001 through 2999 | Telnet to auxiliary (AUX) port, terminal (TTY) ports, and virtual terminal (VTY) ports |
3001 through 3999 | Telnet to rotary ports (access via these ports is only possible if the rotaries have been explicitly configured first with the rotary command) |
4001 through 4999 | Telnet (stream mode) mirror of 2000 range |
5001 through 5999 | Telnet (stream mode) mirror of 3000 range (access via these ports is possible only if the rotaries have been explicitly configured first) |
6001 through 6999 | Telnet (binary mode) mirror of 2000 range |
7001 through 7999 | Telnet (binary mode) mirror of 3000 range (access via these ports is possible only if the rotaries have been explicitly configured first) |
8001 through 8999 | Xremote (communication servers only) |
9001 through 9999 | Reverse Xremote (communication servers only) |
10001 through 19999 | Reverse Xremote rotary (communication servers only; access via these ports is possible only if the ports have been explicitly configured first) |
Digging a little deeper, I discovered that the AUX port on a router is available via TCP. At the router, execute
router#show line
In my case on a Cisco 2501 I got:
router#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY - - - - - 2 0 0/0 -
1 AUX 9600/9600 - - - - - 15 0 0/0 -
2 VTY - - - - - 35 0 0/0 -
3 VTY - - - - - 2 0 0/0 -
4 VTY - - - - - 0 0 0/0 -
5 VTY - - - - - 0 0 0/0 -
6 VTY - - - - - 0 0 0/0 -
More digging around about configuring AUX ports found this article. It describes how to configure and access the AUX ports via a telnet session. Basically, you start at 2000, 4000, 6000, or 9000, and then add the line number for the AUX port. As you can see above, the line number for my AUX port is 1, so if I want to telnet to that port, I would use
router>telnet 10.100.0.254 2001 or 4001 or 6001 or 9001
AUX ports start at AUX 0 and by default these ports are on, even though there may not be anything about them in the configuration. To turn the AUX port off, you do it the same way as you do with a VTY line.
router#conf t
router(config)#line aux 0
router(config-line)#transport input none
end
copy run start
04-01-2015 11:51 PM
Thanks Dude..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: