[c-nsp] Router TCP ports

Luan Nguyen luan.nguyen at mci.com
Mon Aug 22 11:47:51 EDT 2005 

2065 is the aux 0 port.  Check config under line aux 0.  show ip socket on
the router doesn't reveal those ports as open though...
If under line aux 0, you set transport input ssh, then it will behave line
those vty lines (for me it is this way)
2065 is the tcp telnet port, 4065 is the raw tcp port and 4065 is the binary
tcp port.
With the new isr platform, 2811 included, I think Cisco changed their ways
of doing thing.
uusiteLuan1841#show line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns
Int
*    0    0 CTY              -    -      -    -    -     0      0    0/0
-
     1    1 AUX   9600/9600  - inout     -    -    -     0      0    0/0
-
   194  194 VTY              -    -      -    -    -    15      0    0/0
-
   195  195 VTY              -    -      -    -    -     0      0    0/0
-
   196  196 VTY              -    -      -    -    -     0      0    0/0
-
   197  197 VTY              -    -      -    -    -     0      0    0/0
-

So the aux now is 1 instead of 65.
Don't know about the 9065 and 9001 port though.  Would be nice to see  your
running config since I got disconnected right away telneting to
9001...saying resource insufficient.

uusiteLuan1841#
002151: Aug 22 11:42:34.518 EDT: tcp0: I LISTEN 63.64.73.10:46422
206.64.200.15:9001 seq 798650460
        OPTS 4 SYN  WIN 8760
002152: Aug 22 11:42:34.518 EDT: TCP0: state was LISTEN -> SYNRCVD [9001 ->
63.64.73.10(46422)]
002153: Aug 22 11:42:34.518 EDT: TCP: tcb 65A5C940 connection to
63.64.73.10:46422, peer MSS 1460, MSS is 516
002154: Aug 22 11:42:34.518 EDT: TCP: sending SYN, seq 914587220, ack
798650461
002155: Aug 22 11:42:34.518 EDT: TCP0: Connection to 63.64.73.10:46422,
advertising MSS 536
002156: Aug 22 11:42:34.518 EDT: tcp0: O SYNRCVD 63.64.73.10:9001
206.64.200.15:46422 seq 914587220
        OPTS 4 ACK 798650461 SYN  WIN 4128
002157: Aug 22 11:42:34.518 EDT: tcp0: I SYNRCVD 63.64.73.10:46422
206.64.200.15:9001 seq 798650461
        ACK 914587221  WIN 9112
002158: Aug 22 11:42:34.518 EDT: TCP0: state was SYNRCVD -> ESTAB [9001 ->
63.64.73.10(46422)]
002159: Aug 22 11:42:34.522 EDT: Telnet1: 1 1 251 1
002160: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent WILL ECHO (1)
002161: Aug 22 11:42:34.522 EDT: Telnet1: 2 2 251 3
002162: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent WILL SUPPRESS-GA (3)
002163: Aug 22 11:42:34.522 EDT: Telnet1: 80000 80000 253 24
002164: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent DO TTY-TYPE (24)
002165: Aug 22 11:42:34.522 EDT: Telnet1: 10000000 10000000 253 31
002166: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent DO WINDOW-SIZE (31)
002167: Aug 22 11:42:34.522 EDT: tcp1: O ESTAB 63.64.73.10:9001
206.64.200.15:46422 seq 914587221
        DATA 12 ACK 798650461 PSH  WIN 4128
002168: Aug 22 11:42:34.522 EDT: TCP1: state was ESTAB -> FINWAIT1 [9001 ->
63.64.73.10(46422)]
002169: Aug 22 11:42:34.526 EDT: tcp1: O FINWAIT1 63.64.73.10:9001
206.64.200.15:46422 seq 914587233
        ACK 798650461 FIN PSH  WIN 4128
002170: Aug 22 11:42:34.526 EDT: TCP1: sending FIN
002171: Aug 22 11:42:34.526 EDT: TCP: Available resources insufficient
002172: Aug 22 11:42:34.526 EDT: tcp1: I FINWAIT1 63.64.73.10:46422
206.64.200.15:9001 seq 798650461
        ACK 914587233  WIN 9112
002173: Aug 22 11:42:34.526 EDT: tcp1: I FINWAIT1 63.64.73.10:46422
206.64.200.15:9001 seq 798650461
        ACK 914587234  WIN 9112
002174: Aug 22 11:42:34.530 EDT: TCP1: state was FINWAIT1 -> FINWAIT2 [9001
-> 63.64.73.10(46422)]
002175: Aug 22 11:42:34.530 EDT: tcp1: I FINWAIT2 63.64.73.10:46422
206.64.200.15:9001 seq 798650461
        ACK 914587234 FIN  WIN 9112
002176: Aug 22 11:42:34.530 EDT: TCP1: FIN processed
002177: Aug 22 11:42:34.530 EDT: TCP1: state was FINWAIT2 -> TIMEWAIT [9001
-> 63.64.73.10(46422)]
002178: Aug 22 11:42:34.530 EDT: tcp1: O TIMEWAIT 63.64.73.10:9001
206.64.200.15:46422 seq 914587234
        ACK 798650462  WIN 4128
002179: Aug 22 11:42:53.905 EDT: TCP1: state was TIMEWAIT -> CLOSED [9001 ->
63.64.73.10(46421)]
002180: Aug 22 11:42:53.905 EDT: TCB 0x65AA484C destroyed

-luan


 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Min Qiu
Sent: Monday, August 22, 2005 10:39 AM
To: Cheung, Rick; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Router TCP ports

2065 could be aux port.

Min

> -----Original Message-----
> From: Cheung, Rick [mailto:Rick.Cheung at nextelpartners.com]
> Sent: Monday, August 22, 2005 9:39 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Router TCP ports
> 
> 
> 
> 	Hi, folks, I have a 2620 running 12.3.13 with the IPSec/FW/IDS 
> feature set. Doing a port scan against the router, I notice in 
> addition to 22, ports 2065, 4065, 6065, 9065 open as well.
> 
> 	This is with "transport input ssh" configured on the VTYs. When I 
> telnet to the router, it resets the connection, as expected. Oddly 
> enough, telnetting to the router on 2065, 4065, and 6065 reveals the 
> login banner, and the username prompt, but it does not allow any 
> input, and it times out within five seconds. Telnetting to port 9065, 
> the router completes the three way handshake, but immediately resets 
> the connection; no login prompt.
> 
> 	I'm just curious as to what those ports are. Anyone know?
> 
> 	A 2811 running 12.4.T2 Advanced IP Security also has high numbered 
> ports open: 2001, 4001, 6001, 9001. It exhibits the same behavior as 
> with the 2620.
> 
> 
> 
> 
> Thanks,
> Rick Cheung
> NPI IT Wan Analyst
> 585-350-2097 (Desk)
> 178*1*2097 (DAP)
> 
> 
> 
> This message, including any attachments, contains confidential 
> information intended for a specific individual and purpose and is 
> protected by law. If you are not the intended recipient, please 
> contact sender immediately by reply e-mail and destroy all copies.
> You are hereby notified that any disclosure, copying, or distribution 
> of this message, or the taking of any action based on it, is strictly 
> prohibited.
> 
> WARNING: Computer viruses can be transmitted via email. The recipient 
> should check this email and any attachments for the presence of 
> viruses. The sender accepts no liability for any damage caused by any 
> virus transmitted by this email. E-mail transmission cannot be 
> guaranteed to be secure or error-free as information could be 
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
> contain viruses. The sender therefore does not accept liability for 
> any errors or omissions in the contents of this message, which arise 
> as a result of e-mail transmission.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list