Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
6
Replies

Switch is reachable from any subnet or unused IP

tbryant97
Level 1
Level 1

‎02-02-2023 06:16 PM - edited ‎02-03-2023 01:58 PM

Cisco 9600 core switch is reachable from any IP in our subnet. The main interface is 172.18.112.1 which I use to access the switch web interface. Upon running NMAP scans the switch shows up multiple times on the scans throwing them off. I can access any IP such as 172.18.43.1 below.

tbryant97_0-1675389927515.png

tbryant97_1-1675389932104.png

There is no interface defined for that subnet anywhere in our network. 

 

Rapid7/NMAP Scan:

tbryant97_2-1675390122569.png

 

0 Helpful
6 Replies 6

marce1000
VIP
VIP

‎02-06-2023 03:33 AM

 

 - Check running config and or apply ACL(s) for restricting management access (HTTP or other) , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

tbryant97
Level 1
Level 1
In response to marce1000

‎02-06-2023 07:09 AM - edited ‎02-06-2023 07:13 AM

Existing access-list:

Extended IP access list IP-Adm-V4-Int-ACL-global
10 permit tcp any any eq www
20 permit tcp any any eq 443
Extended IP access list implicit_deny
10 deny ip any any
Extended IP access list implicit_permit
10 permit ip any any
Extended IP access list meraki-fqdn-dns
Extended IP access list preauth_v4
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet
20 deny tcp any any eq www (2010 matches)
30 deny tcp any any eq 22 (312 matches)
40 permit ip any any (1512 matches)
IPv6 access list implicit_deny_v6
deny ipv6 any any sequence 10
IPv6 access list implicit_permit_v6
permit ipv6 any any sequence 10
IPv6 access list preauth_v6
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100

0 Helpful

tbryant97
Level 1
Level 1
In response to tbryant97

‎02-06-2023 07:15 AM

Not sure how this helps, I can hit the webui of the switch from an IP that the switch doesn't have defined in its config.

0 Helpful

MHM Cisco World
VIP
VIP

‎02-06-2023 02:33 PM - edited ‎02-06-2023 02:33 PM

are you run NAT ? 
are you have static route toward SW IP ?

0 Helpful

tbryant97
Level 1
Level 1
In response to MHM Cisco World

‎02-07-2023 04:17 PM

Only NAT is behind our firewall but there is not route directly to the core switch from there.

On the switch, there is a route for "ip route 172.18.0.0 255.255.0.0 172.18.112.0"

0 Helpful

tbryant97
Level 1
Level 1
In response to tbryant97

‎02-09-2023 10:21 PM

Would this ip route cause the switch HTTP interface to be broadcasted to all network IP's?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card