cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15950
Views
4
Helpful
3
Replies
Highlighted
Beginner

Disable TCP port 5060 and port 1720

Our company owns a Cisco 2821 router. Doing an nmap scan on the router shows 2 open ports, TCP port 5060 and 1720. Can I stop the services listening on those ports? Any advice is appreciated.

Thank you.

3 REPLIES 3
Highlighted

Re: Disable TCP port 5060 and port 1720

Port 1720 is used for gatekeeper communication using the RAS protocol. Port 5060 is used by SIP. Sounds like you're running voice on your network. If so, these ports could be open for a reason. You may want to investigate the reason before closing the ports. Are the ports open to/from specific hosts? Feel free to post your config if you need further help.

Hope this helps. If so, please rate the post.

Brandon

Highlighted
Enthusiast

Re: Disable TCP port 5060 and port 1720

Port 1720 (tcp) has little to do with gatekeepers and definitely is NOT for RAS communication.

Port 1720 is for direct Q.931 call signalling.

Stopping the voice ports could be done by this:

conf t

voice service voip

shutdown

Highlighted
Cisco Employee

Re: Disable TCP port 5060 and port 1720

You can disable the router listening on port 5060 by issuing this command:

router(config)#sip-ua

router(config-sip-ua)#no transport tcp

router(config-sip-ua)#no transport udp

For port 1720, you must configure an Access Control List (ACL), as shown:

Router(config)#access-list 107 deny tcp any any eq 1720

Router(config)#interface e0

Router(config-if)#ip access-group 107 in

The reason the router listens on port 1720 is likely that you are using an IP PLUS feature set Cisco IOS image.

IP PLUS supports VoIP. It always has a default VoIP dial-peer (dial-peer 0). This listens on port 1720 for H.323 signaling. This behavior cannot be changed since the H.323 stack always runs with this feature set. If you do not want to use an ACL to control this behavior, you can use a feature set that does not support VoIP, such as an IP feature set.

To disable SIP, you need to upgrade to 12.3(8)T or later.

HTH,

Rob

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey