udp port 49

Answered Question
Apr 19th, 2007
User Badges:

HI,

We recently ran a scan of some of our core routers and found udp port 49 open on a cisco 6509. Cisco docs mention xtacacs uses this port. Why is this port open ? Which service is using it?

Correct Answer by eofelt about 10 years 2 months ago

Good stuff!


I hope I helped in the right direction or

at least confirmed what you already knew.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
luqmankondeth Thu, 04/19/2007 - 08:44
User Badges:

to give an update,

I scanned more routers and all of them had udp port 49 open. Interestingly the first time I ran it on a certain router it wasnt open , but the second time I ran the same nmap, it was open!!!

Any ideas?

eofelt Thu, 04/19/2007 - 09:56
User Badges:
  • Bronze, 100 points or more


It's a UDP Broadcast Forwarding by Cisco's IP Helper.


If an IP helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default.


TACACS does use Port 49


HTH, Please rate

luqmankondeth Thu, 04/19/2007 - 10:50
User Badges:

Well, I thought so too, in the beginning, But ive checked the configs of all routers for the helper address commands. I havent found any...

Now, May b I should disable directed broadcasts on that IP address & udp forwarding even though its not configured to begin with...


eofelt Tue, 05/01/2007 - 05:56
User Badges:
  • Bronze, 100 points or more

Did that resolve your issue?


If so, please rate.

luqmankondeth Thu, 05/03/2007 - 05:38
User Badges:

ive finally come to the conclusion that its tacacs, or rather cisco's implementation of it==xtacacs that uses udp49.


i found that only on routers enabled for aaa is the port 49 open (all our aaa implementations use tacacs)


though not all questions have been answered bout this issue, im letting it rest for the moment.

Correct Answer
eofelt Thu, 05/03/2007 - 06:43
User Badges:
  • Bronze, 100 points or more

Good stuff!


I hope I helped in the right direction or

at least confirmed what you already knew.



Actions

This Discussion