[c-nsp] Router TCP ports

Tue Aug 23 10:24:13 EDT 2005

	Thanks for the reply.

	Applying an access-class on the VTY failed to mask the open
ports, 2065, 4065, 9065. Configuring transport input none closed the
ports on the router, though.

	I've forgotten the stream, binary, and xremote ports; its been
awhile since my NP days.

Thanks,
Rick Cheung

-----Original Message-----
From: Ryan O'Connell [mailto:ryan at complicity.co.uk]
Sent: Monday, August 22, 2005 7:23 PM
To: Cheung, Rick
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Router TCP ports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/08/2005 14:38, Cheung, Rick wrote:

| Hi, folks, I have a 2620 running 12.3.13 with the IPSec/FW/IDS feature

| set. Doing a port scan against the router, I notice in addition to 22,

| ports 2065, 4065, 6065, 9065 open as well.
|
| This is with "transport input ssh" configured on the VTYs. When I
| telnet to the router, it resets the connection, as expected. Oddly
| enough, telnetting to the router on 2065, 4065, and 6065 reveals the
| login banner, and the username prompt, but it does not allow any
| input, and it times out within five seconds. Telnetting to port 9065,
| the router completes the three way handshake, but immediately resets
| the connection; no login prompt.
|
| I'm just curious as to what those ports are. Anyone know?

As noted by another poster, these are reverse telnet ports for AUX.
The 2620 has "support" for up to 64 async lines - actually, you can only
put an NM-32A in one which is 32 lines but the way IOS works it also
reserves 32 ports for the first two WIC slots as if it's really an NM
slot rather than fixed config. (You can put async-capable cards in the
WIC slots which is why it needs to reserve some ports. This is annoying
because when using a 26xx as a console router, the ports start numbering
at 2032 rather than 2001.)

Con is always port 0 (2000/4000/6000) and aux is, confusingly, always
max_ports + 1, which is 65 in this case. 2000-range ports are "basic"
reverse telnet, 4xxx is stream mode, 6xxx is binary mode and 9xxx is
xremote - there are more, but they're disabled by default - see
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm for the
full list.

To disable these ports you should be able to do:
line aux 0
~ no transport input telnet

Failing that, setting an outgoing access-class on the line that denies
all IPs should do the trick.

- --
~         Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines, I'm just learning
new things with the passage of time -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDCl5SoaLhvISWLh0RArr9AKCJUnENtoyEyJzj1kqjhQgCmI6Z1wCeNIRV
s/HjBT1GDHq/pEskYTd+uWA=
=DSma
-----END PGP SIGNATURE-----

This message, including any attachments, contains confidential information intended for a specific
individual and purpose and is protected by law. If you are not the intended recipient, please contact
sender immediately by reply e-mail and destroy all copies.
You are hereby notified that any disclosure, copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email
and any attachments for the presence of viruses. The sender accepts no liability for any damage
caused by any virus transmitted by this email. E-mail transmission cannot be guaranteed
to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors
or omissions in the contents of this message, which arise as a result of e-mail transmission.