Solved: udp port 49

luqmankondeth · ‎04-19-2007

HI,

We recently ran a scan of some of our core routers and found udp port 49 open on a cisco 6509. Cisco docs mention xtacacs uses this port. Why is this port open ? Which service is using it?

eofelt · ‎05-03-2007

Good stuff!

I hope I helped in the right direction or

at least confirmed what you already knew.

View solution in original post

luqmankondeth · ‎04-19-2007

to give an update,

I scanned more routers and all of them had udp port 49 open. Interestingly the first time I ran it on a certain router it wasnt open , but the second time I ran the same nmap, it was open!!!

Any ideas?

eofelt · ‎04-19-2007

It's a UDP Broadcast Forwarding by Cisco's IP Helper.

If an IP helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default.

TACACS does use Port 49

HTH, Please rate

luqmankondeth · ‎04-19-2007

Well, I thought so too, in the beginning, But ive checked the configs of all routers for the helper address commands. I havent found any...

Now, May b I should disable directed broadcasts on that IP address & udp forwarding even though its not configured to begin with...

eofelt · ‎05-01-2007

Did that resolve your issue?

If so, please rate.

luqmankondeth · ‎05-01-2007

no, it didnt...

still looking for an answer

luqmankondeth · ‎05-03-2007

ive finally come to the conclusion that its tacacs, or rather cisco's implementation of it==xtacacs that uses udp49.

i found that only on routers enabled for aaa is the port 49 open (all our aaa implementations use tacacs)

though not all questions have been answered bout this issue, im letting it rest for the moment.

eofelt · ‎05-03-2007

Good stuff!

I hope I helped in the right direction or

at least confirmed what you already knew.