It's a border router with a Fortigate firewall behind
it. That's why I didn't want to write a real firewall
type of ruleset for it. It's only a 1720, so I don't
want the overhead of reflexive ACLs and I don't think
I really need it since I have a good firewall behind
the router. Thanks!
Bob
--- adisegna@siscocorp.com wrote:
What kind of traffic do you want to allow through
this interface? It's a
better practice to block everything and open up
holes as you need them.
Unless, of course this is a perimeter router (at the
edge of your
network) which is in front of an application level
firewall.
access-list 100 deny ip 172.16.0.0 0.0.255.255 any
log
access-list 100 deny ip host 127.0.0.1 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
log
access-list 100 deny ip 192.168.0.0 0.0.255.255
any log
access-list 100 deny tcp any any eq telnet log
access-list 100 deny icmp any host
public.ip.address.of.external.interface
access-list 100 deny icmp any host
public.ip.firewall.interface
access-list 100 deny tcp any any eq 135 log
access-list 100 deny tcp any any eq 139 log
access-list 100 deny tcp any any eq 137 log
access-list 100 deny udp any any eq netbios-ns log
access-list 100 deny udp any any eq netbios-dgm
log
access-list 100 deny tcp any any eq 445 log
access-list 100 deny tcp any any eq 0 log
access-list 100 permit ip any any log
AD
Information Technology Group
Security Identification Systems Corporation
-----Original Message-----
From: bob bob [mailto:bb88011@yahoo.com]
Sent: Friday, March 25, 2005 1:34 PM
To: security-basics@securityfocus.com
Subject: Open Ports on Cisco Router
I have a Cisco 1720 router that showed telnet open
after a recent audit. I closed down telnet by
applying an acl to the vty lines and then nmap'ed
from
the outside to verify. Telnet is indeed closed, but
other ports appeared open now! What's more,
different
ports appear open when scanning at different times.
It showed tcp ports 21, 25 and 80 open at one time,
but in another scan showed 143 in addition to the
above. Late in the evening, it showed none of the
above open, but a range of ports starting around
8000.
No UDP ports show open.
I ran nmap with the following command:
nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D
Here is a portion of the router config:
version 12.3
. . .
ip subnet-zero
no ip source-route
. . .
interface FastEthernet0
ip address 10.0.0.1 255.255.255.0
ip nat outside
speed auto
half-duplex
!
interface Serial0
ip address A.B.C.D 255.255.255.252
ip access-group filter_outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
no nat outside
no fair-queue
no cdp enable
!
ip nat inside source list 10 interface Serial0
overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
. . .
ip access-list extended filter_outside_in
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any timestamp-request
deny icmp any redirect
deny icmp any mask-request
deny icmp any traceroute
deny icmp any echo
permit ip any any
access-list 10 permit 10.0.0.0 0.0.0.255
----------------------------------------
So, the router is NAT'ing, and, btw, it also has a
firewall behind it. The ports that show up in the
scans of the router match up very well with the
ports
used regularly at this location, so I thought it
might
have something to do with NAT dynamically openning
ports. However, it still seems very strange to me
and
I wanted to know if anyone else has seen this
behavior
and what explains it. TIA!
Bob
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
