Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX shows all this ports still open

i see lot of these ports opened

7 Echo

|___ 9 Discard

|___ 13 Daytime

|___ 17 Quote of the Day

|___ 19 Character Generator

|___ 21 File Transfer Protocol [Control]

|___ 22 SSH Remote Login Protocol

|___ 23 Telnet

|___ 25 Simple Mail Transfer

|___ 37 Time

|___ 43 Who Is

|___ 53 Domain Name Server

|___ 70 Gopher

|___ 79 Finger

|___ 80 World Wide Web HTTP

|___ 88 Kerberos

|___ 109 Post Office Protocol - Version 2

|___ 110 Post Office Protocol - Version 3

|___ 113 Authentication Service

|___ 119 Network News Transfer Protocol

|___ 139 NETBIOS Session Service

|___ 143 Internet Message Access Protocol

|___ 389 Lightweight Directory Access Protocol

|___ 443 https MCom

|___ 465 ssmtp

|___ 513 remote login a la telnet;

|___ 554 Real Time Stream Control Protocol

|___ 563 snews

|___ 569 microsoft rome

|___ 636 ssl-ldap

|___ 749 kerberos administration

|___ 995 SSL based POP3

|___ 1494 ica

|___ 1720 h323hostcall

|___ 1755 ms-streaming

|___ 5050 multimedia conference control tool

|___ 5190 America-Online

This is my configuration of pix

DMZ

206.x.x.128-206.x.x.254

|

|

Inside--170.x.x.xand10.0.0.---Firewall-206.x.x.x- 206.x.x.126------router------internet

Firewall

|

|

isp2171.x.x.x

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 ISP2 security60

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

nameif ethernet6 intf6 security30

nameif ethernet7 failover security15

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix-1

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

pager lines 24

logging on

logging monitor errors

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

interface ethernet6 auto shutdown

interface ethernet7 100full

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu ISP2 1500

mtu intf4 1500

mtu intf5 1500

mtu intf6 1500

mtu failover 1500

ip address outside 206.X.X.X 255.255.255.128

ip address inside 170.X.X.X 255.255.255.0

ip address DMZ 206.X.X.252 255.255.255.128

ip address ISP2 171.X.X.21 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip address intf6 127.0.0.1 255.255.255.255

ip address failover 7.7.7.7 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 206.X.X.X

failover ip address inside 170.X.X.3

failover ip address DMZ 206.X.X.253

failover ip address ISP2 171.X.X.21

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

failover ip address intf6 0.0.0.0

failover ip address failover 7.7.7.8

failover link failover

pdm location 170.X.X.X 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128

global (outside) 1 206.X.X.X

global (DMZ) 1 206.X.X.X-206.X.X.X

nat (inside) 1 1 170.X.X.X 255.255.255.0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 206.X.X.X

route inside 10.0.0.0 255.0.0.0 170.X.X. 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T

CP

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e

: end

[OK]

How to secure this one is my config is worng

please advise me

Thanks

7 REPLIES
New Member

Re: PIX shows all this ports still open

I would start with a question. What is telling you these ports are open? Are you scanning the outside interface?

The only strange thing I see is the "conduit permit icmp any any" amidst a config using access-lists. According to everything I've read you shouldn't mix conduits and access-lists. Besides you already have the "permit icmp any any" in your access-list. You may want to tighten that up a bit.

Pete

New Member

Re: PIX shows all this ports still open

i did a scan from outside with superscanner for outside interface ip adddress

i will remove the conduit statement

what iam worried why its showing all the ports even though i had a access-list

New Member

Re: PIX shows all this ports still open

exactly how are you going about testing this?

did you test this from outside of your organization or from the inside of your organization?

on the PIX all ports should be in a closed state unless explicitly permitted in an access-list. Also traffic should not be able to flow from an interface with a lower security level (i.e, outside) to one with a higher security level (i.e, inside) unless you explicitly permitted it. You have created an access-list and applied it to the outside interface which is good. You are only permitting mail and dns to the DMZ. Once again, how did you test this to get these results?

p.s i would change that snmp password

New Member

Re: PIX shows all this ports still open

outside of my organization

i tested with superscan2.06 tool

this pix is not in production yet but running parllel to my production , iam testting this pix, i want to make sure before i move into production.

New Member

Re: PIX shows all this ports still open

Ok it shows those ports open but on what addresses? Is it the pix outside interface or ip's behind the pix?

Also just as a test remove the icmp any any to see what results you get then.

Pete

New Member

Re: PIX shows all this ports still open

these ports are open on outside interface of PIX

and also on the servers on DMZ

New Member

Re: PIX shows all this ports still open

i would try limiting the number of half-open connections to my DMZ servers for added protection

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 -->0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 -->0

i would also employ the use of attack guards (ip audit)

to help against port scans (ip audit name WHATEVER info action alarm reset) from the outside, if possible and light DoS (ip audit name WHATEVER attack action alarm drop reset) and apply it to the outside interface.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008010578b.html#1027034

here is something i am working on, on my web site

although this is CBAC for an IOS router, the theory and results are basically the same.

http://www.geocities.com/dgarnett2002/cbac.html

170
Views
0
Helpful
7
Replies
CreatePlease to create content