Our company owns a Cisco 2821 router. Doing an nmap scan on the router shows 2 open ports, TCP port 5060 and 1720. Can I stop the services listening on those ports? Any advice is appreciated.
Port 1720 is used for gatekeeper communication using the RAS protocol. Port 5060 is used by SIP. Sounds like you're running voice on your network. If so, these ports could be open for a reason. You may want to investigate the reason before closing the ports. Are the ports open to/from specific hosts? Feel free to post your config if you need further help.
Hope this helps. If so, please rate the post.
Port 1720 (tcp) has little to do with gatekeepers and definitely is NOT for RAS communication.
Port 1720 is for direct Q.931 call signalling.
Stopping the voice ports could be done by this:
voice service voip
You can disable the router listening on port 5060 by issuing this command:
router(config-sip-ua)#no transport tcp
router(config-sip-ua)#no transport udp
For port 1720, you must configure an Access Control List (ACL), as shown:
Router(config)#access-list 107 deny tcp any any eq 1720
Router(config-if)#ip access-group 107 in
The reason the router listens on port 1720 is likely that you are using an IP PLUS feature set Cisco IOS image.
IP PLUS supports VoIP. It always has a default VoIP dial-peer (dial-peer 0). This listens on port 1720 for H.323 signaling. This behavior cannot be changed since the H.323 stack always runs with this feature set. If you do not want to use an ACL to control this behavior, you can use a feature set that does not support VoIP, such as an IP feature set.
To disable SIP, you need to upgrade to 12.3(8)T or later.