Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

New 2951 - 15.0(1)M2, with ipbase: why are port 25 and 110 open?

mitchrussell42
Level 1
Level 1

‎07-16-2010 08:50 AM - edited ‎03-04-2019 09:05 AM

This is going to be our new Internet router. I expect port 22 to be open for SSH. But, I've got everything obvious turned off. Here is the test config (I dont' have the IP addrs from our new ISP yet):

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname clrinetrtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name contres.com

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-518123724

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-518123724

revocation-check none

rsakeypair TP-self-signed-518123724

!

!

crypto pki certificate chain TP-self-signed-518123724

certificate self-signed 01

  (You don't need this)

        quit

license udi pid CISCO2951/K9 sn (not relevant)

!

!

username root privilege 15 secret 5 NewtGingrichIsSatan

!

!

ip tcp synwait-time 10

!

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.10.10.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex full

speed 100

no mop enabled

!

interface GigabitEthernet0/1

description $ES_LAN$

ip address 10.20.20.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

ip address 192.168.1.241 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

no ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

logging trap debugging

access-list 23 permit 10.10.10.0 0.0.0.7

!

no cdp run

!

!

control-plane

!

banner login ^C

Continental Resources, Inc.

All activity is logged.

^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input ssh

line vty 5 15

privilege level 15

login local

transport input ssh

!

scheduler allocate 20000 1000

scheduler interval 500

end

Any clues? I'm going to ACL the outside interface anyway and only allow SSH from my personal NAT from the inside. But, why are SMTP and POP open on a fairly vanilla IOS?

Labels:
0 Helpful
1 Reply 1

Jerry Ye
Cisco Employee
Cisco Employee

‎07-17-2010 07:47 AM

I don't see an ACL on the any of the GE interfaces. Everything will be allow to go through the router.

For management, you are only allowing SSH to the VTY (management) of the router.

Regards,

jerry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card