01-31-2012 11:28 AM - edited 03-01-2019 05:32 PM
I have two 2811 routers with open ports that I am told to close.
Both routers are running the same IOS version.
flash:c2800nm-advipservicesk9-mz.124-25d.bin.
These are Internet facing routers and thus we do not run IPv6 on these rotuers (yet).
My question:
Is there a way to disable the three IPv6 listening ports?
1. Port 161 and 162 should only be open for our IPv4 SNMP server(s).
2. Port 64963 is unknown
3. Port 49402 is unknown
Thanks
Frank
REMOTE-HD# sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.16.21.10 2887 0 0 11 0
17 10.8.1.251 54120 172.16.21.10 161 0 0 1001 0
17 --listen-- 172.16.21.10 162 0 0 1011 0
17 --listen-- 172.16.21.10 59393 0 0 1011 0
17(v6) --listen-- --any-- 161 0 0 20001 0
17(v6) --listen-- --any-- 162 0 0 20011 0
17(v6) --listen-- --any-- 64963 0 0 20011 0
17 --listen-- 172.16.21.10 123 0 0 1 0
17 --listen-- 172.16.21.10 500 0 0 11 0
17 --listen-- 172.16.21.10 4500 0 0 11 0
17 10.8.1.9 514 172.16.21.10 51074 0 0 200 0
HQ_HD#sh ip sock
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.16.0.8 2887 0 0 11 0
17 10.8.1.11 59506 10.10.0.8 161 0 0 1001 0
17 --listen-- 172.16.0.8 162 0 0 1011 0
17 --listen-- 172.16.0.8 64265 0 0 1011 0
17(v6) --listen-- --any-- 161 0 0 20001 0
17(v6) --listen-- --any-- 162 0 0 20011 0
17(v6) --listen-- --any-- 49402 0 0 20011 0
17 --listen-- 172.16.0.8 123 0 0 1 0
17 --listen-- 172.16.0.8 500 0 0 11 0
17 --listen-- 172.16.0.8 4500 0 0 11 0
17 10.8.1.9 514 172.16.0.8 56794 0 0 200 0
02-01-2012 05:47 AM
Hello,
IPv6 ACL on the outbound interface (the interface connected to your provider).
Here is all you need to know to put together a filter:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr_fw.html#wp1072502
HTH,
Calin
02-01-2012 08:15 AM
Hi Calin,
Yeaaa we were thinking about ACL interface filtering !!!
We didn't want to penalize the innocent with this (ACL) sort of blanket coverage. We have several hundred routers in this state.
We were hoping to get some insite as to why the ports are open since IPv6 is not enabled (no ipv6 unicast-routing).
:
We would like to disable the features in IOS that are causing the ports to be open in the first place. - Perhaps this is a TAC case?
:
The other wierd thing is why the same IOS, same hardward, nearly identical config has different listen IPv6 ports.
Regards
Frank
02-02-2012 02:39 AM
ipv6 unicas-routing reference only to the routing part of the IPv6.
You don't have any command related to "ipv6" in your configuration?
I have a 28xx with 12.4 (24) T6 and :
show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.30.32.1 1698 0 0 1 0
17 0.0.0.0 0 172.30.32.1 67 0 0 2211 0
17 --listen-- 172.30.32.1 711 0 0 1 0
17 --listen-- 172.30.32.1 646 0 0 1 0
17 --listen-- 172.30.32.1 3503 0 0 1 0
The only IPv6 command that I have is:
no ipv6 cef
HTH,
Calin
02-02-2012 06:57 AM
Here is the complete config; passwords and IP addresses etc.removed,
NO reference to IPv6 anywhere.
HQ_HD#sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.16.0.8 2887 0 0 11 0
17 10.8.1.11 59503 10.10.0.8 161 0 0 1001 0
17 --listen-- 172.16.0.8 162 0 0 1011 0
17 --listen-- 172.16.0.8 64265 0 0 1011 0
17(v6) --listen-- --any-- 161 0 0 20001 0
17(v6) --listen-- --any-- 162 0 0 20011 0
17(v6) --listen-- --any-- 49402 0 0 20011 0
17 --listen-- 172.16.0.8 123 0 0 1 0
17 --listen-- 172.16.0.8 500 0 0 11 0
17 --listen-- 172.16.0.8 4500 0 0 11 0
17 10.8.1.9 514 172.16.0.8 56794 0 0 200 0
HQ_HD#term leng 0
HQ_HD#sh run
Building configuration...
Current configuration : 5464 bytes
!
! Last configuration change at 14:12:54 EST Wed Feb 1 2012 by XXXXXXXXXXXXXXXX
! NVRAM config last updated at 14:12:56 EST Wed Feb 1 2012 by XXXXXXXXXXXXXXXX
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HQ_HD
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-25d.bin
boot system flash:c2800nm-advipservicesk9-mz.124-25b.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret --removed--
!
aaa new-model
!
aaa group server tacacs+ group1
server --removed--
!
aaa authentication login default group group1 local line
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group group1
aaa accounting commands 1 default stop-only group group1
aaa accounting commands 15 default stop-only group group1
aaa accounting connection default start-stop group group1
aaa accounting system default start-stop group group1
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
ip cef
!
no ip bootp server
no ip domain lookup
ip domain name --removed--
ip name-server --removed--
ip name-server --removed--
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh source-interface Loopback0
ip ssh version 2
! !
crypto isakmp policy 10
encr --gone--
hash --gone--
authentication --gone--
group --removed--
crypto isakmp key --gone-- address --gone--
crypto isakmp keepalive xxxxx
!
crypto ipsec transform-set stronger --removed-- esp-sha-hmac
!
crypto map vpn 20 ipsec-isakmp
set peer --removed--
set transform-set stronger
match address 110
!
interface Loopback0
ip address 172.16.0.8 255.255.255.255
!
interface FastEthernet0/0
ip address removed--
!
interface FastEthernet0/1
ip address --removed--
ip access-group 100 in
ip tcp adjust-mss 1460
load-interval 30
crypto map vpn
hold-queue 100 out
!
ip forward-protocol nd
ip route --gone--
!
!
no ip http server
no ip http secure-server
!
logging history informational
logging facility syslog
logging source-interface Loopback0
logging --removed--
access-list 1 remark VTY and SNMP and ssh
access-list 1 permit --removed--
access-list 1 permit --removed--
access-list 1 deny any log
access-list 100 permit esp --removed--
access-list 100 permit udp --removed--
access-list 110 permit ip --removed--
access-list 110 permit ip --removed--
snmp-server engineID --removed--
snmp-server community --removed--
snmp-server community --removed--
snmp-server enable --removed--
!
!
tacacs-server host --removed-- key --gone--
tacacs-server directed-request
!
control-plane
!
scheduler allocate 20000 1000
ntp clock-period 17208029
ntp server --gone--
ntp server --gone--
ntp server --gone--
!
end
HQ_HD#sh run | i v6
...blank
HQ_HD#sh run | i V6
...blank
Thanks for helping
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide