Re: IOS and CBAC

pchicci · ‎06-05-2001

Can anyone tell me why If I have a access list that only allows 80 and 443 to pass thru I can still see all other ports open when I run a penetration software such as Cyber Cop. Is there something that I need to add to keep these ports from Responding ?

rstaaf · ‎06-05-2001

I am assuming we are talking a PIX here. The PIX closes all ports by default and the only way you could be seeing other open ports is if you have a conduit or access list and group in there that opens them. Make sure you don't have both conduits and access lists because they won't work together. You need to use one or the other. Also look for the key words any any near the end any of your access lists.

Hope this helps.

Bob

pchicci · ‎06-05-2001

this is just a 3600 with ACL's on it. This Router is in front of a Firewall.

thomas.waddell · ‎06-07-2001

After you create the access-list you have to go into the interface you want to apply it to and apply it as either inbound or outbound on that interface, have you done this?

If so, can you post the access-list and the interface you've applied it to? (removing any public IP's of course :)

Regards,

Thomas

pchicci · ‎06-08-2001

I did do that see the list and interfaces below..

interface Serial0/0

ip address x.x.x.x

ip access-group 111 in

no ip redirects

no ip directed-broadcast

no ip proxy-arp

ip accounting output-packets

ip nat outside

no ip route-cache

no ip mroute-cache

no fair-queue

service-module t1 timeslots 1-24

no cdp enable

access-list 111 deny tcp any any eq 8080 log

access-list 111 deny tcp any any eq 20034 log

access-list 111 deny tcp any any eq 27665 log

access-list 111 deny tcp any any eq 65512 log

access-list 111 deny tcp any any eq 16660 log

access-list 111 deny tcp any any eq 65513 log

access-list 111 deny tcp any any eq 65000 log

access-list 111 deny tcp any any eq 31337 log

access-list 111 permit tcp any host x.x.x.x eq www