?
Solved

UDP 137/138, TCP 139 in Cisco 2600

Posted on 2000-03-16
8
Medium Priority
?
2,195 Views
Last Modified: 2013-12-19
Does anyone know what is the default port open on Cisco 2600 router ?

I am going to block udp 137, udp 138 and tcp 139 from router, detail as below:

access-list 110 deny tcp any any eq 139
access-list 110 deny udp any any eq 138
access-list 110 deny udp anu any eq 137
access-list 110 permit ip any any
ip access-group 110 in

I found out the telnet port is open after I entered access list as above, therefore I am wodering how many ports have been open ?
0
Comment
Question by:joehuang
8 Comments
 

Expert Comment

by:alehning
ID: 2626114
Try:

access-list 110 deny tcp any any eq telnet
access-list 110 deny udp any any eq telnet

The router should be able to figure it out.  It's really better to deny everything and then only allow the few ports you want to come through (SMTP for your mailserver IP, http for your proxy server IP, etc) rather than try and enter a block for everything.

Or better yet get some firewall software and get away from those painful Cisco access lists altogether.  Gauntlet by NAI is a good choice, but a little expensive.  MS Proxy will work, and I'm sure there are others.

BTW I think telnet is tcp port 23, ftp is 21, and smtp is 25.  A quick list for the well-known ports is http://www.techadvice.com/tech/T/TCP_well_known_ports.htm and there's probably many other good ones out there.  Good luck!
0
 

Expert Comment

by:alehning
ID: 2626123
Oops, sorry, didn't quite answer your question.  As far as I know, the default is all ports open on a router unless specifically closed.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 2626369
alehning is correct. All ports are open in both directions until you apply inbound or outbound lists to an interface. Are you trying to avoid using WINS ? Those are Netbios ports, correct ? The router will not forward Netbios broadcasts by default (routers don't forward broadcasts at all; that's one reason to use them !)
You might consider using a WINS server, or at the least, configure lmhosts files to help Windows machines to find each other.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 2627357
By default, everything's open.
What sort of security are you trying to apply ?

0
 

Author Comment

by:joehuang
ID: 2628130
We have a webserver (NT 4) which with 2 Nic card, one nic connect behind firewall, another nic connect to T1 router (Cisco 2600).

A gentleman use hacking tool in Linux Box from home for testing purpose, It log into the webserver only, good thing is not to intranet, I could see the name of Hacker's Workstation successed log into web server without user name/password.

According this test, This Gentleman suggest us to block TCP port  139, UDP 137/138.

As I understand, NT has this security problem, therefore I try to setup a Access list for blocking such port.

Any Suggestion ?
0
 

Accepted Solution

by:
alehning earned 100 total points
ID: 2628786
Well, if you want to use your router, try

access-list 110 deny tcp any any eq all
access-list 110 deny udp any any eq all
access-list 110 allow tcp any any eq established
access-list 110 allow tcp any any eq 80
accest-list 110 allow tcp any any eq 443

It's been a while since I've seen a router so you might want to double-check this with the Cisco documentation, especially the "established" keyword; essentially you are blocking all traffic into your network except connections established from inside your fireewall (established), http (port 80), and https (port 443).  If you want people to telnet/ftp in for whatever reason you'll need to open those ports too.

MAKE SURE this is on your incoming access list; if you block the outgoing nobody behind the router will get to the internet.

Another alternative is to use your firewall software; run the router into the firewall instead of into the server, and set the allowances on your firewall to allow web traffic through. Probably not as secure as the router list though.

Anybody else, please add to this if I missed something -- I haven't done routers in *years*.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 2629598
Just remember that if you don't put a permit statement at the end of your deny statements, everything gets denied by default.
0
 

Author Comment

by:joehuang
ID: 2661573
It works as 2 setting together as below,

1. For ROUTER
access-lists 130 permit tcp any any eq 80
access -list 130 permit tcp any any eq 443
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit udp any any
access-list 130 permit tcp any any
int s0/0.1
ip access-group 130 in

2. For Win NT
network neighbor/ procotol / TCPIP / Advanced / Enable Security
TCP Permit only : 80,443,53
UDP Permit only : 53
IP  Permit only : 6




0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
I’m a fan of folder redirection, however, it does have a couple of “Gotchas!” you have to look out for.  For example, if you redirect a user’s AppData folder to a DFS namespace, shortcuts on the taskbar are no longer trusted.  Here’s how to fix that.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Watch the video to know the process of migration of Exchange or Office 365 mailboxes in absence of MS Outlook. It is an eminent tool which can easily migrate Public, Archive user mailboxes from one another Exchange server and Office 365. Kernel Migr…

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question