Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

New 2951 - 15.0(1)M2, with ipbase: why are port 25 and 110 open?

This is going to be our new Internet router. I expect port 22 to be open for SSH. But, I've got everything obvious turned off. Here is the test config (I dont' have the IP addrs from our new ISP yet):

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname clrinetrtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name contres.com

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-518123724

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-518123724

revocation-check none

rsakeypair TP-self-signed-518123724

!

!

crypto pki certificate chain TP-self-signed-518123724

certificate self-signed 01

  (You don't need this)

        quit

license udi pid CISCO2951/K9 sn (not relevant)

!

!

username root privilege 15 secret 5 NewtGingrichIsSatan

!

!

ip tcp synwait-time 10

!

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.10.10.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex full

speed 100

no mop enabled

!

interface GigabitEthernet0/1

description $ES_LAN$

ip address 10.20.20.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

ip address 192.168.1.241 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

no ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

logging trap debugging

access-list 23 permit 10.10.10.0 0.0.0.7

!

no cdp run

!

!

control-plane

!

banner login ^C

Continental Resources, Inc.

All activity is logged.

^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input ssh

line vty 5 15

privilege level 15

login local

transport input ssh

!

scheduler allocate 20000 1000

scheduler interval 500

end

Any clues? I'm going to ACL the outside interface anyway and only allow SSH from my personal NAT from the inside. But, why are SMTP and POP open on a fairly vanilla IOS?

1 REPLY
Cisco Employee

Re: New 2951 - 15.0(1)M2, with ipbase: why are port 25 and 110 o

I don't see an ACL on the any of the GE interfaces. Everything will be allow to go through the router.

For management, you are only allowing SSH to the VTY (management) of the router.

Regards,

jerry

286
Views
0
Helpful
1
Replies
CreatePlease to create content