Thank you for command however I found strange behaviour of cisco router. Scan found few ports opened on device:
above mentioned tcp9067 but also
tcp2067 - Data-Link Switching
tcp4067 - Information Distribution Protocol
tcp6067 - SRB (source-route bridging ) protocol

For all of them, when I make a telnet to mgmt IP with that ports I received login prompt, is that normal behaviour? Usually when port is opened there is only "black screen" indicating that connection has been established.

None of this ports are listed under "show control-plane host open-ports"

Interesting. At the moment you're actual connected on those tcp ports via telnet, you can go to the router and run the command "show control-plane host open-ports". It not only shows you what's listening (labeled as "LISTEN") but it should show you currently established connections (labeled as "ESTABLIS") and what process is on the router end of said session. If those ports still don't show up even as there is a seemingly open telnet session, go to the host you initiated the telnet session from and run:

 netstat -n | findstr "10.10.10.10"

... assuming the router's IP address is 10.10.10.10. See if it really shows that it's established or SYN_SENT or something else. If you're using a flavor of UNIX, change findstr to grep. Other commands that show you established sessions are "show tcp" or "show tcp brief" but those don't show you the processes involved so they are not as useful for finding the information you're looking for.

Good luck.

Matt, thank you for response. You're right, port showed up in output of "show control-plane host open-ports" but timeout was very short and that's why I didn't noticed it. Unfortunately it's not telling me much:

Prot               Local Address             Foreign Address                  Service    State

 tcp                      *:9067           <my_IP>:51509            TCP Protocols ESTABLIS

as there is only "TCP Protocols" marked as a service. I opened a TAC case for that and will see what they will tell me. Thank you once again.

Regards,

Lukasz

Wow, that's really interesting. I would love to hear the follow-up from your TAC case!

Cheers,
Matt

I have had the same issue.

It looks like port 9067 allows remote telnet access to the embedded service engine card on the router.

In my case I have a 2951 running CME/Unity Express.

Unity Express is on the service engine card.

Looking at blocking that port with an access list on the router now!

I have had the same issue.
It looks like TCP ports 2067, 4067, 6067, 9067 allows remote telnet access to the SM-ES3G-16-P service module card on the router. This ports are mapping to con0 console port. If it has default config, then I can connect to the service module from network without password with privilege level 15.