Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Disable TCP port 5060 and port 1720

Our company owns a Cisco 2821 router. Doing an nmap scan on the router shows 2 open ports, TCP port 5060 and 1720. Can I stop the services listening on those ports? Any advice is appreciated.

Thank you.

  • Voice over IP
3 REPLIES

Re: Disable TCP port 5060 and port 1720

Port 1720 is used for gatekeeper communication using the RAS protocol. Port 5060 is used by SIP. Sounds like you're running voice on your network. If so, these ports could be open for a reason. You may want to investigate the reason before closing the ports. Are the ports open to/from specific hosts? Feel free to post your config if you need further help.

Hope this helps. If so, please rate the post.

Brandon

Re: Disable TCP port 5060 and port 1720

Port 1720 (tcp) has little to do with gatekeepers and definitely is NOT for RAS communication.

Port 1720 is for direct Q.931 call signalling.

Stopping the voice ports could be done by this:

conf t

voice service voip

shutdown

Cisco Employee

Re: Disable TCP port 5060 and port 1720

You can disable the router listening on port 5060 by issuing this command:

router(config)#sip-ua

router(config-sip-ua)#no transport tcp

router(config-sip-ua)#no transport udp

For port 1720, you must configure an Access Control List (ACL), as shown:

Router(config)#access-list 107 deny tcp any any eq 1720

Router(config)#interface e0

Router(config-if)#ip access-group 107 in

The reason the router listens on port 1720 is likely that you are using an IP PLUS feature set Cisco IOS image.

IP PLUS supports VoIP. It always has a default VoIP dial-peer (dial-peer 0). This listens on port 1720 for H.323 signaling. This behavior cannot be changed since the H.323 stack always runs with this feature set. If you do not want to use an ACL to control this behavior, you can use a feature set that does not support VoIP, such as an IP feature set.

To disable SIP, you need to upgrade to 12.3(8)T or later.

HTH,

Rob

7931
Views
4
Helpful
3
Replies