Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1759
Views
0
Helpful
3
Replies

Cisco 1811 - Security - Troubleshoot open ports

OSJF2009SDL
Level 1
Level 1

‎08-23-2010 11:08 AM - edited ‎03-04-2019 09:31 AM

Hi,

after a couple weeks lab practice, today I connected one of my new Cisco 1811 router to an ISP ADSL line.

PPP connect went fine, after that I ran a quick scan using NMAP on the router from the outside.

Here is the result:

PORT     STATE    SERVICE     VERSION

21/tcp   open     tcpwrapped

22/tcp   open     ssh         Cisco SSH 1.25 (protocol 2.0)

1720/tcp filtered H.323/Q.931

Well, I remember I configured SSH and disabled telnet during practice in the lab. But I can't remember I did anything FTP related.

I also read FTP is disabled by default on IOS.

What I'd like to know is: what is "tcpwrapped" on port 21? I don't think it's an FTP service as I wasn't able to connect to it using an FTP client.

Windows and Linux both have onboard utilities to troubleshoot listening ports, are there similar commands for IOS? How can I find out what is listening on a specific port?

What is the recommended way to post running config on this forum? I'd like to keep my posts clear.

Thanks in advance

Sebastian

Labels:
70919-running-config.txt.zip
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎08-23-2010 11:54 AM

Hi Sebastian,

You may be running a 12.4 IOS in which case you could try the show ip sockets command. Unfortunately, in 12.4(11)T it has been replaced by other commands that do not display open TCP sockets readily (anybody knowing better here PLEASE let us know if there is any way to display open TCP sockets under 12.4(11)T and newer!)

But I'd say that the NMAP probably saw a NATted port. Is it possible to repeat the experiment and have the same results over and over again?

Best regards,

Peter

0 Helpful

OSJF2009SDL
Level 1
Level 1
In response to Peter Paluch

‎08-24-2010 02:42 AM

Thanks for your reply Peter,

I'm running c181x-advipservicesk9-mz.124-15.T13.bin - "show ip sockets" didn't work for me.

However, I found this command:

hydra#show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
tcp                 *:22                  *:0               SSH-Server   LISTEN
tcp                 *:23                  *:0                   Telnet   LISTEN
tcp                 *:22   192.168.7.105:2003               SSH-Server ESTABLIS

Wich is also strange, according to this output I would expect NMAP to display port 23 as open as well.

Yes, the NMAP scan output  on the WAN interface is reproducible. I also noticed  the scan result is different on the LAN, it only displays port 22 as open (wich is correct). I did not configured any NAT rule for port 21 for the WAN interface. So it must be some default thing.

Best regards,

Sebastian

0 Helpful

OSJF2009SDL
Level 1
Level 1

‎08-27-2010 09:41 AM

I'm gonna bump this now since I still don't know what is listening on port 21 on the WAN interface, and I don't know how to disable it

As a rookie I'm quite suprised that there seems to be no troubleshooting tool for this kind of issue. I mean... even Windows gives you tools for that. Like netstat, findstr, tasklist commands.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card