10-24-2010 10:50 AM - edited 03-04-2019 10:13 AM
I have a 100 MB ethernet link to AT&T with my Cisco router. I have applied a few ACLs to my inteface that connects to AT&T (fa 0/0). Here are my ACLs:
!
interface FastEthernet0/0
ip address < omited =) >
ip access-group 110 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address < omited =) >
duplex auto
speed auto
!
ip default-gateway < omited =) >
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 < omited =) >
!
!
no ip http server
no ip http secure-server
!
access-list 110 remark DenyPingsFromInternet
access-list 110 deny icmp any host < omited =) >
access-list 110 deny icmp any host < omited =) >
access-list 110 deny icmp any host < omited =) >
access-list 110 remark Deny special-use address sources. Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 remark Deny private address space
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 permit ip any any
As you can see from the ACL above I am denying icmp, ftp and port 554.
However, when I run an NMAP scan on the ip address of int fa 0/0, I get the following:
nadmin@nadmin-laptop:~$ sudo nmap -v < omited =) >
Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-24 10:36 PDT
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 10:36
Scanning < omited =) > [4 ports]
Completed Ping Scan at 10:36, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:36
Completed Parallel DNS resolution of 1 host. at 10:36, 0.09s elapsed
Initiating SYN Stealth Scan at 10:36
Scanning < omited =) > [1000 ports]
Discovered open port 21/tcp on < omited =) >
Discovered open port 554/tcp on < omited =) >
Discovered open port 7070/tcp on < omited =) >
Completed SYN Stealth Scan at 10:36, 3.80s elapsed (1000 total ports)
Host < omited =) > is up (0.027s latency).
Interesting ports on < omited =) >
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
7070/tcp open realserver
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds
Raw packets sent: 1024 (45.032KB) | Rcvd: 998 (39.948KB)
I don't understand a couple of things:
1. Why does my router have ports 21,135,139,445,554 and 7070 open?
2. Why does my router respond to ports 21 and 554 when I implictly deny them with an ACL?
Also, is there a way to hide a router from pings completely? I denied icmp to my interfaces, but when I try to ping I get a message saying the icmp echo request was filtered, vs just getting a dest unreachable (which would be more desirable):
PING < omited =) > (< omited =) >) 56(84) bytes of data.
From < omited =) >icmp_seq=2 Packet filtered
Thanks much!
10-24-2010 11:14 AM
Ken
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
this acl is wrong. It says, for example using the first line, deny any packets from any host with a source port of 21 and a destination port which will be a random port to the host IP. But NMAP is not doing that. NMAP is sending a packet with a destination port of 21 not a source port so it should read -
access-list 110 deny tcp any host x.x.x.x eq 21
etc..
however that doesn't actually answer the question as to why NMAP reports them open. Unfortunately you have blanked out so much it's difficult to say any more. Why are there 3 host addresses per port, are you testing against other IPs. Do you have any static NAT translations on your router ?
Can you post a "sh tcp brief all" from your router.
135, 139 & 445 are not open they are filtered which means nmap can't tell if it is open or closed because something is blocking the scan.
Hide router from pings - under your interface add this -
int fa0/0
no ip unreachables
Jon
10-24-2010 12:59 PM
Jon,
Thanks for the feedback. Corrected my ACL (thanks for catching that). I was doing some testing and trying to guard both interfaces for some port scans and pings. Hence the multiple hosts in my ALC. I have an ASA5520 behind this router and the ASA is performing NAT for me.
I used the no ip reachables command and that did the trick for ping. However, even after correcting my ACL, ports 21 and 554 still show open for some reason. Here is a bigger look at my config, along with the show tcp brief all command:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c3745
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone PST -8
ip cef
!
!
!
!
ip domain name X.com
ip name-server X.X.X.X
ip name-server X.X.X.X
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address X.X.X.X 255.255.255.252
ip access-group 110 in
no ip unreachables
duplex auto
speed auto
!
interface FastEthernet0/1
ip address X.X.X.X 255.255.255.0
no ip unreachables
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
no ip http server
no ip http secure-server
!
access-list 110 remark DenyPingsFromInternet
access-list 110 deny icmp any host X.X.X.X
access-list 110 deny icmp any host X.X.X.X
access-list 110 deny icmp any host X.X.X.X
access-list 110 remark Deny special-use address sources. Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 remark Deny private address space
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny tcp any host X.X.X.X eq 21
access-list 110 deny tcp any host X.X.X.X eq 21
access-list 110 deny tcp any host X.X.X.X eq 554
access-list 110 deny tcp any host X.X.X.X eq 554
access-list 110 deny tcp any host X.X.X.X eq 7070
access-list 110 deny tcp any host X.X.X.X eq 7070
access-list 110 permit ip any any
!
snmp-server community X RW
snmp-server location X
snmp-server contact X
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bstun
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dlsw
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps stun
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps director server-up server-down
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rf
snmp-server enable traps voice poor-qov
snmp-server enable traps voice fallback
snmp-server enable traps dnis
snmp-server host X.X.X.X version 2c X
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
login local
speed 115200
line aux 0
line vty 0 4
logging synchronous
login local
transport input none
line vty 5 15
login
transport input none
!
ntp logging
ntp source FastEthernet0/1
ntp master
!
end
10-24-2010 01:08 PM
Ken
Just to confirm, you are running the NMAP from outside the fa0/0 interface ?
Could you post the new NMAP results and also can you post -
sh access-list 110
so i can see the hits if any on the acl entries.
Jon
10-24-2010 01:34 PM
Yes, I am running nmap to my fa 0/0 interface.
Here are the results:
nmap -v 12.90.36.222
Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-24 13:27 PDT
Initiating Ping Scan at 13:27
Scanning X.X.X.X [2 ports]
Completed Ping Scan at 13:27, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:27
Completed Parallel DNS resolution of 1 host. at 13:27, 0.00s elapsed
Initiating Connect Scan at 13:27
Scanning X.X.X.X [1000 ports]
Discovered open port 21/tcp on X.X.X.X
Discovered open port 554/tcp on X.X.X.X
Discovered open port 7070/tcp on X.X.X.X
Completed Connect Scan at 13:28, 4.05s elapsed (1000 total ports)
Nmap scan report for X.X.X.X
Host is up (0.028s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
7070/tcp open realserver
Read data files from: /opt/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.14 seconds
Extended IP access list 110
10 deny icmp any host X.X.X.X (5 matches)
20 deny icmp any host Y.Y.Y.Y (4 matches)
30 deny icmp any host Z.Z.Z.Z (5 matches)
40 deny ip host 0.0.0.0 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 192.0.2.0 0.0.0.255 any
70 deny ip 10.0.0.0 0.255.255.255 any
80 deny ip 172.16.0.0 0.15.255.255 any
90 deny tcp any host X.X.X.X eq ftp
100 deny tcp any host Y.Y.Y.Y eq ftp
110 deny tcp any host X.X.X.X eq 554
120 deny tcp any host Y.Y.Y.Y eq 554
130 deny tcp any host X.X.X.X eq 7070
140 deny tcp any host Y.Y.Y.Y eq 7070
150 permit ip any any (11238 matches)
10-24-2010 01:45 PM
Extended IP access list 110
10 deny icmp any host X.X.X.X (5 matches)
20 deny icmp any host Y.Y.Y.Y (4 matches)
30 deny icmp any host Z.Z.Z.Z (5 matches)
40 deny ip host 0.0.0.0 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 192.0.2.0 0.0.0.255 any
70 deny ip 10.0.0.0 0.255.255.255 any
80 deny ip 172.16.0.0 0.15.255.255 any
90 deny tcp any host X.X.X.X eq ftp
100 deny tcp any host Y.Y.Y.Y eq ftp
110 deny tcp any host X.X.X.X eq 554
120 deny tcp any host Y.Y.Y.Y eq 554
130 deny tcp any host X.X.X.X eq 7070
140 deny tcp any host Y.Y.Y.Y eq 7070
150 permit ip any any (11238 matches)
10-24-2010 02:02 PM
Jon,
The topology for nmap would look like this:
Linux NMAP<-----> Comcast <----->Internet <------->AT&T <--------> 3745 FA 0/0 ---- 3745 FA 0/1 <----------> ASA 5520 <------>My protected Network
The NMAP machine scans my 3745's FA 0/0 interface.
No, no typo in NMAP. I have run the test multiple times.
I tried to telnet to port 21 on my FA 0/0 interface and sure enough, I hit something. I got no feedback or output:
HarleyAir:~ kwold$ telnet X.X.X.X 21
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
^[[A
Sure enough, I can see the hit counter increase for the port 21 ACL. It will do the same thing for ports 554 and 7070. When I telnet using any of these port numbers, I get a response like this:
HarleyAir:~ kwold$ telnet X.X.X.X 554
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
! The term just hangs at this point.
If I try and use any other port number for telnet for FA 0/0, then the connection is denied immeadiately:
HarleyAir:~ kwold$ telnet X.X.X.X 500
Trying X.X.X.X...
telnet: connect to address 1X.X.X.X: Connection refused
telnet: Unable to connect to remote host
10-25-2010 08:09 AM
Okay, i'm confused
Just to confirm again, the config you posted last was the full config for the router ?
I am away for the next couple of days but i have a spare router so if i get a chance i'll try and emuate what you are seeing.
Jon
10-25-2010 01:04 PM
Yep, that is the full config. No NAT. =(
10-25-2010 03:21 AM
kennethwold wrote:
I have a 100 MB ethernet link to AT&T with my Cisco router. I have applied a few ACLs to my inteface that connects to AT&T (fa 0/0). Here are my ACLs:
!
interface FastEthernet0/0
ip address < omited =) >
ip access-group 110 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address < omited =) >
duplex auto
speed auto
!
ip default-gateway < omited =) >
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 < omited =) >
!
!
no ip http server
no ip http secure-server
!
access-list 110 remark DenyPingsFromInternet
access-list 110 deny icmp any host < omited =) >
access-list 110 deny icmp any host < omited =) >
access-list 110 deny icmp any host < omited =) >
access-list 110 remark Deny special-use address sources. Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 remark Deny private address space
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq ftp host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 deny tcp any eq 554 host < omited =) >
access-list 110 permit ip any anyAs you can see from the ACL above I am denying icmp, ftp and port 554.
However, when I run an NMAP scan on the ip address of int fa 0/0, I get the following:
nadmin@nadmin-laptop:~$ sudo nmap -v < omited =) >
Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-24 10:36 PDT
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 10:36
Scanning < omited =) > [4 ports]
Completed Ping Scan at 10:36, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:36
Completed Parallel DNS resolution of 1 host. at 10:36, 0.09s elapsed
Initiating SYN Stealth Scan at 10:36
Scanning < omited =) > [1000 ports]
Discovered open port 21/tcp on < omited =) >
Discovered open port 554/tcp on < omited =) >
Discovered open port 7070/tcp on < omited =) >
Completed SYN Stealth Scan at 10:36, 3.80s elapsed (1000 total ports)
Host < omited =) > is up (0.027s latency).
Interesting ports on < omited =) >
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
7070/tcp open realserver
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds
Raw packets sent: 1024 (45.032KB) | Rcvd: 998 (39.948KB)
I don't understand a couple of things:
1. Why does my router have ports 21,135,139,445,554 and 7070 open?
2. Why does my router respond to ports 21 and 554 when I implictly deny them with an ACL?
Also, is there a way to hide a router from pings completely? I denied icmp to my interfaces, but when I try to ping I get a message saying the icmp echo request was filtered, vs just getting a dest unreachable (which would be more desirable):
PING < omited =) > (< omited =) >) 56(84) bytes of data.
From < omited =) >icmp_seq=2 Packet filteredThanks much!
i have same problem
10-01-2017 07:40 AM
Something may be intercepting along the traffic path. I just nmapped a router to ensure it was secure from the outside and was surprised to see TCP554 and TCP7070 open. I'm going through a BT HomeHub at this location and have read elsewhere that this intercepts these ports (no idea why). I can telnet to both ports. However, when I attempt to connect via my mobile phone network (i.e. not via the BT HomeHub), the connections to TCP554 and TCP7070 are refused as expected. Weird.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide