Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

UDP 137/138, TCP 139 in Cisco 2600

Posted on 2000-03-16
8
1,946 Views
Last Modified: 2013-12-19
Does anyone know what is the default port open on Cisco 2600 router ?

I am going to block udp 137, udp 138 and tcp 139 from router, detail as below:

access-list 110 deny tcp any any eq 139
access-list 110 deny udp any any eq 138
access-list 110 deny udp anu any eq 137
access-list 110 permit ip any any
ip access-group 110 in

I found out the telnet port is open after I entered access list as above, therefore I am wodering how many ports have been open ?
0
Comment
Question by:joehuang
8 Comments
 

Expert Comment

by:alehning
ID: 2626114
Try:

access-list 110 deny tcp any any eq telnet
access-list 110 deny udp any any eq telnet

The router should be able to figure it out.  It's really better to deny everything and then only allow the few ports you want to come through (SMTP for your mailserver IP, http for your proxy server IP, etc) rather than try and enter a block for everything.

Or better yet get some firewall software and get away from those painful Cisco access lists altogether.  Gauntlet by NAI is a good choice, but a little expensive.  MS Proxy will work, and I'm sure there are others.

BTW I think telnet is tcp port 23, ftp is 21, and smtp is 25.  A quick list for the well-known ports is http://www.techadvice.com/tech/T/TCP_well_known_ports.htm and there's probably many other good ones out there.  Good luck!
0
 

Expert Comment

by:alehning
ID: 2626123
Oops, sorry, didn't quite answer your question.  As far as I know, the default is all ports open on a router unless specifically closed.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 2626369
alehning is correct. All ports are open in both directions until you apply inbound or outbound lists to an interface. Are you trying to avoid using WINS ? Those are Netbios ports, correct ? The router will not forward Netbios broadcasts by default (routers don't forward broadcasts at all; that's one reason to use them !)
You might consider using a WINS server, or at the least, configure lmhosts files to help Windows machines to find each other.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 2627357
By default, everything's open.
What sort of security are you trying to apply ?

0
 

Author Comment

by:joehuang
ID: 2628130
We have a webserver (NT 4) which with 2 Nic card, one nic connect behind firewall, another nic connect to T1 router (Cisco 2600).

A gentleman use hacking tool in Linux Box from home for testing purpose, It log into the webserver only, good thing is not to intranet, I could see the name of Hacker's Workstation successed log into web server without user name/password.

According this test, This Gentleman suggest us to block TCP port  139, UDP 137/138.

As I understand, NT has this security problem, therefore I try to setup a Access list for blocking such port.

Any Suggestion ?
0
 

Accepted Solution

by:
alehning earned 50 total points
ID: 2628786
Well, if you want to use your router, try

access-list 110 deny tcp any any eq all
access-list 110 deny udp any any eq all
access-list 110 allow tcp any any eq established
access-list 110 allow tcp any any eq 80
accest-list 110 allow tcp any any eq 443

It's been a while since I've seen a router so you might want to double-check this with the Cisco documentation, especially the "established" keyword; essentially you are blocking all traffic into your network except connections established from inside your fireewall (established), http (port 80), and https (port 443).  If you want people to telnet/ftp in for whatever reason you'll need to open those ports too.

MAKE SURE this is on your incoming access list; if you block the outgoing nobody behind the router will get to the internet.

Another alternative is to use your firewall software; run the router into the firewall instead of into the server, and set the allowances on your firewall to allow web traffic through. Probably not as secure as the router list though.

Anybody else, please add to this if I missed something -- I haven't done routers in *years*.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 2629598
Just remember that if you don't put a permit statement at the end of your deny statements, everything gets denied by default.
0
 

Author Comment

by:joehuang
ID: 2661573
It works as 2 setting together as below,

1. For ROUTER
access-lists 130 permit tcp any any eq 80
access -list 130 permit tcp any any eq 443
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit udp any any
access-list 130 permit tcp any any
int s0/0.1
ip access-group 130 in

2. For Win NT
network neighbor/ procotol / TCPIP / Advanced / Enable Security
TCP Permit only : 80,443,53
UDP Permit only : 53
IP  Permit only : 6




0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question