Solved

UDP 137/138, TCP 139 in Cisco 2600

Posted on 2000-03-16
8
1,927 Views
Last Modified: 2013-12-19
Does anyone know what is the default port open on Cisco 2600 router ?

I am going to block udp 137, udp 138 and tcp 139 from router, detail as below:

access-list 110 deny tcp any any eq 139
access-list 110 deny udp any any eq 138
access-list 110 deny udp anu any eq 137
access-list 110 permit ip any any
ip access-group 110 in

I found out the telnet port is open after I entered access list as above, therefore I am wodering how many ports have been open ?
0
Comment
Question by:joehuang
8 Comments
 

Expert Comment

by:alehning
ID: 2626114
Try:

access-list 110 deny tcp any any eq telnet
access-list 110 deny udp any any eq telnet

The router should be able to figure it out.  It's really better to deny everything and then only allow the few ports you want to come through (SMTP for your mailserver IP, http for your proxy server IP, etc) rather than try and enter a block for everything.

Or better yet get some firewall software and get away from those painful Cisco access lists altogether.  Gauntlet by NAI is a good choice, but a little expensive.  MS Proxy will work, and I'm sure there are others.

BTW I think telnet is tcp port 23, ftp is 21, and smtp is 25.  A quick list for the well-known ports is http://www.techadvice.com/tech/T/TCP_well_known_ports.htm and there's probably many other good ones out there.  Good luck!
0
 

Expert Comment

by:alehning
ID: 2626123
Oops, sorry, didn't quite answer your question.  As far as I know, the default is all ports open on a router unless specifically closed.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 2626369
alehning is correct. All ports are open in both directions until you apply inbound or outbound lists to an interface. Are you trying to avoid using WINS ? Those are Netbios ports, correct ? The router will not forward Netbios broadcasts by default (routers don't forward broadcasts at all; that's one reason to use them !)
You might consider using a WINS server, or at the least, configure lmhosts files to help Windows machines to find each other.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 2627357
By default, everything's open.
What sort of security are you trying to apply ?

0
 

Author Comment

by:joehuang
ID: 2628130
We have a webserver (NT 4) which with 2 Nic card, one nic connect behind firewall, another nic connect to T1 router (Cisco 2600).

A gentleman use hacking tool in Linux Box from home for testing purpose, It log into the webserver only, good thing is not to intranet, I could see the name of Hacker's Workstation successed log into web server without user name/password.

According this test, This Gentleman suggest us to block TCP port  139, UDP 137/138.

As I understand, NT has this security problem, therefore I try to setup a Access list for blocking such port.

Any Suggestion ?
0
 

Accepted Solution

by:
alehning earned 50 total points
ID: 2628786
Well, if you want to use your router, try

access-list 110 deny tcp any any eq all
access-list 110 deny udp any any eq all
access-list 110 allow tcp any any eq established
access-list 110 allow tcp any any eq 80
accest-list 110 allow tcp any any eq 443

It's been a while since I've seen a router so you might want to double-check this with the Cisco documentation, especially the "established" keyword; essentially you are blocking all traffic into your network except connections established from inside your fireewall (established), http (port 80), and https (port 443).  If you want people to telnet/ftp in for whatever reason you'll need to open those ports too.

MAKE SURE this is on your incoming access list; if you block the outgoing nobody behind the router will get to the internet.

Another alternative is to use your firewall software; run the router into the firewall instead of into the server, and set the allowances on your firewall to allow web traffic through. Probably not as secure as the router list though.

Anybody else, please add to this if I missed something -- I haven't done routers in *years*.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 2629598
Just remember that if you don't put a permit statement at the end of your deny statements, everything gets denied by default.
0
 

Author Comment

by:joehuang
ID: 2661573
It works as 2 setting together as below,

1. For ROUTER
access-lists 130 permit tcp any any eq 80
access -list 130 permit tcp any any eq 443
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit udp any any
access-list 130 permit tcp any any
int s0/0.1
ip access-group 130 in

2. For Win NT
network neighbor/ procotol / TCPIP / Advanced / Enable Security
TCP Permit only : 80,443,53
UDP Permit only : 53
IP  Permit only : 6




0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
UNC paths question 18 84
Remote Desktop Encryption error at the client 1 45
AutoCad licenses 9 71
DHCP Server not issuing IP Address 7 31
Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question