IOS 12.4 nmap scan port 110 (pop3) open

Andrew von Nagy · ‎10-01-2006

When I nmap scan my Cisco 871 router running IOS 12.4(9)T it shows that port 110 (pop3) is open. I am unable to find what process is configured causing this port to be open. I am not running webVPN as a POP3 proxy.

Does anyone know what this may be and how to close it?

ROBERTO TACCON · ‎10-03-2006

Hi,

maybe there're some nat configured ?

Paste the configuration (sh tech).

Regards

Andrew von Nagy · ‎10-03-2006

Yes, I do have NAT Overload configured. But why would that open up port 110 on the router itself?

Here is the show run (part 1 of 2):

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

!

hostname Cisco871

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 8

logging buffered 51200 warnings

no logging rate-limit

enable secret 5

!

aaa new-model

!

aaa authentication login default local

aaa authentication enable default enable

!

aaa session-id common

!

resource policy

!

clock timezone CST -6

clock summer-time CST recurring

no ip source-route

ip cef

!

ip dhcp database tftp://10.10.10.3/DHCP/Cisco871Leases.txt

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 10.10.10.0 10.10.10.7

!

ip dhcp pool sdm-pool

import all

network 10.10.10.0 255.255.255.240

default-router 10.10.10.1

!

ip tcp synwait-time 10

no ip bootp server

ip ssh version 2

ip inspect name cbac tcp

ip inspect name cbac udp

ip inspect name cbac icmp

ip inspect name cbac ftp

ip inspect name cbac isakmp

!

crypto pki trustpoint TP-self-signed-1747397358

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1747397358

revocation-check none

rsakeypair TP-self-signed-1747397358

!

crypto pki certificate chain TP-self-signed-1747397358

certificate self-signed 01

quit

!

no spanning-tree vlan 1

no spanning-tree vlan 2

username privilege 15 secret 5

!

bridge irb

!

interface FastEthernet0

description Switchport 0

bandwidth 100000

!

interface FastEthernet1

description Switchport 1

bandwidth 100000

!

interface FastEthernet2

description Switchport 2

bandwidth 100000

!

interface FastEthernet3

description Switchport 3

bandwidth 100000

!

interface FastEthernet4

description Outside

bandwidth 100000

no ip dhcp client request tftp-server-address

no ip dhcp client request netbios-nameserver

no ip dhcp client request vendor-specific

ip address dhcp client-id FastEthernet4

ip access-group IngressFilter in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dot11Radio0

description Switchport WLAN

bandwidth 54000

no ip address

!

broadcast-key change 3600

!

encryption mode ciphers tkip

!

ssid

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7

!

speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description VLAN 1 INSIDE

bandwidth 100000

no ip address

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan2

description VLAN 2 DMZ

bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface BVI1

description Inside

bandwidth 100000

ip address 10.10.10.1 255.255.255.240

ip access-group EgressFilter in

no ip redirects

no ip proxy-arp

ip nat inside

ip inspect cbac in

ip virtual-reassembly

!

(see part 2 of 2)

Andrew von Nagy · ‎10-03-2006

Part 2 of 2 (show run):

!

no ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list NAT interface FastEthernet4 overload

!

ip access-list standard ADMIN

permit 10.10.10.0 0.0.0.15

deny any

!

ip access-list extended EgressFilter

remark Allow DHCP Traffic for Internal Clients

permit udp any eq bootpc host 255.255.255.255 eq bootps

permit udp any eq bootpc host 10.10.10.1 eq bootps

remark Allow SSH, SSL, SNMP and TFTP to Cisco Router

permit tcp 10.10.10.0 0.0.0.15 host 10.10.10.1 eq 22

permit tcp 10.10.10.0 0.0.0.15 host 10.10.10.1 eq 443

permit udp host 10.10.10.3 host 10.10.10.1 eq snmp

permit udp 10.10.10.0 0.0.0.15 eq tftp host 10.10.10.1

remark Allow Specific ICMP Traffic and Deny the Rest

permit icmp 10.10.10.0 0.0.0.15 any echo

permit icmp 10.10.10.0 0.0.0.15 host 10.10.10.1 echo-reply

deny icmp any any

remark Deny Traffic to Private Addresses

deny ip any 0.0.0.0 0.255.255.255

deny ip any 10.0.0.0 0.255.255.255

deny ip any 127.0.0.0 0.255.255.255

deny ip any 169.254.0.0 0.0.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.0.2.0 0.0.0.255

deny ip any 192.168.0.0 0.0.255.255

deny ip any 224.0.0.0 15.255.255.255

remark Allow Specific Application Traffic

permit tcp 10.10.10.0 0.0.0.15 any eq ftp

permit tcp 10.10.10.0 0.0.0.15 any eq smtp

permit udp 10.10.10.0 0.0.0.15 any eq domain

permit tcp 10.10.10.0 0.0.0.15 any eq www

permit tcp 10.10.10.0 0.0.0.15 any eq pop3

permit udp 10.10.10.0 0.0.0.15 any eq ntp

permit tcp 10.10.10.0 0.0.0.15 any eq 443

permit udp 10.10.10.0 0.0.0.15 host 204.234.80.253 eq isakmp

permit tcp 10.10.10.0 0.0.0.15 host 216.170.63.107 eq 510

permit tcp 10.10.10.0 0.0.0.15 any eq 554

permit tcp 10.10.10.0 0.0.0.15 any eq 8080

permit tcp 10.10.10.0 0.0.0.15 host 204.234.80.253 eq 10000

permit udp 10.10.10.0 0.0.0.15 any range 33400 34400

remark Deny All Other Traffic

deny ip any any

ip access-list extended IngressFilter

remark Allow DHCP Traffic for WAN Interface

permit udp any eq bootps any eq bootpc

remark Deny Traffic from Private Address Blocks

deny ip 0.0.0.0 0.255.255.255 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

remark Allow NTP Traffic

permit udp any eq ntp any

remark Deny All Other Traffic

deny ip any any log

ip access-list extended NAT

permit ip 10.10.10.0 0.0.0.15 any

!

logging 10.10.10.3

access-list 1 remark HTTP ADMIN ACL

access-list 1 permit 10.10.10.0 0.0.0.15

access-list 1 deny any log

access-list 2 remark SNMP ACL

access-list 2 permit 10.10.10.3

access-list 2 deny any log

snmp-server community RO 2

snmp-server contact

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner motd

Authorized Access Only!!!

This is the property of . Unauthorized access of this device by any other parties will be regarded as malicious. All access attempts are logged and reviewed.

DISCONNECT IMMEDIATELY!

For inquiries contact via email.

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class ADMIN in

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17175083

ntp server 192.43.244.18

ntp server 129.6.15.29

ntp server 129.6.15.28

end

m_breuer · ‎02-01-2007

Hi Andrew,

I got the same problem using a port scanner showing open port 110. Most likely this issue is related to your PC running an antivirus software which pretends the port to be open. I turned off virus protection and the scanner showed port 110 as closed.

Best regards,

Michael