Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

securing ports in nat

I have a site that is connected to the internet via T1 into 2811 runing C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)X.  I have noticed that when i do a port scan on the outside nat pool i see well know ports in the closed state .ie...7,21,22,23,25,99,100,80,443.   These pools for end users to access internet.   Does this pose a security risk? What can i change to provide end user access to web but not let these well know ports open?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: securing ports in nat

@aaron ward

Then in that case its a correct behavior. As it creates a statetable kind of Translation Table only when traffic is originated inside. All the outside originated traffic trying to come inside will be blocked. If you have any static NAT configured for Servers hosted in the environment (higly unlikely without a firewall appliance these days) then only you will see the scan showing open results.

. If the Inside users using web as desired, then all looks good from what you say.

Plz let me know if this was useful.

6 REPLIES

securing ports in nat

I may not understand your question, but if the port is closed then that's ok. There's no security risk if the port is closed, and it depends on the scanner that you're using and with what options on how the scanner reports back. What are you using to scan?

HTH, John *** Please rate all useful posts ***
New Member

securing ports in nat

I am using solar winds port scanner builtin to the engenieer toolkit.

securing ports in nat

@aaron ward

Do you mean that when you scanned from outside you couldt see that the mentioned ports are open.?

If yes, then that a normal behavior for dunamic NAT to fuction as a entry is created only when active connection is established from "Inside" to "Outside" . So traffic originating from outside will have no chance to come in and hence you are observing the ports to be closed.

Plz let me know if this is what you wanted to know.

New Member

securing ports in nat

i am scanning the external ip adress from the outside and they are showing up as "closed".  Most of the ip addess show "not responding"

Re: securing ports in nat

@aaron ward

Then in that case its a correct behavior. As it creates a statetable kind of Translation Table only when traffic is originated inside. All the outside originated traffic trying to come inside will be blocked. If you have any static NAT configured for Servers hosted in the environment (higly unlikely without a firewall appliance these days) then only you will see the scan showing open results.

. If the Inside users using web as desired, then all looks good from what you say.

Plz let me know if this was useful.

New Member

securing ports in nat

OK,  just wanted to be sure.  Thanks!

318
Views
0
Helpful
6
Replies