[c-nsp] Router TCP ports

robbie robbie at packetized.org
Mon Aug 22 19:01:17 EDT 2005 

Incorrect. TCP/2065 is one of a couple of DLSw+ over TCP ports (others being 
2067, 1981, 1982, and 1983, if memory serves). I think that 4065 and 6065 are 
also used for FST under DLSw+. 9001 is used for Xremote (old school xsession 
router kungf00), and 2001 is typically used for reverse telnet. If I recall, 
4001/6001 are deprecated management ports used long ago in the dark days 
before IOS 11.0.

AUX port is typically TTY65, as illustrated (12.2(15)T16 on a 2600 below)

Rack1R1#show line
    Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -      0       0     0/0       -
     65 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
     66 VTY              -    -      -    -    -      0       0     0/0       -
     67 VTY              -    -      -    -    -      0       0     0/0       -
     68 VTY              -    -      -    -    -      0       0     0/0       -
     69 VTY              -    -      -    -    -      0       0     0/0       -
     70 VTY              -    -      -    -    -      0       0     0/0       -

Line(s) not in async mode -or- with no hardware support:
1-64

-- 
Cheers,
Robbie

Luan Nguyen wrote:
> 2065 is the aux 0 port.  Check config under line aux 0.  show ip socket on
> the router doesn't reveal those ports as open though...
> If under line aux 0, you set transport input ssh, then it will behave line
> those vty lines (for me it is this way)
> 2065 is the tcp telnet port, 4065 is the raw tcp port and 4065 is the binary
> tcp port.
> With the new isr platform, 2811 included, I think Cisco changed their ways
> of doing thing.
> uusiteLuan1841#show line
>    Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns
> Int
> *    0    0 CTY              -    -      -    -    -     0      0    0/0
> -
>      1    1 AUX   9600/9600  - inout     -    -    -     0      0    0/0
> -
>    194  194 VTY              -    -      -    -    -    15      0    0/0
> -
>    195  195 VTY              -    -      -    -    -     0      0    0/0
> -
>    196  196 VTY              -    -      -    -    -     0      0    0/0
> -
>    197  197 VTY              -    -      -    -    -     0      0    0/0
> -
> 
> So the aux now is 1 instead of 65.
> Don't know about the 9065 and 9001 port though.  Would be nice to see  your
> running config since I got disconnected right away telneting to
> 9001...saying resource insufficient.
> 
> uusiteLuan1841#
> 002151: Aug 22 11:42:34.518 EDT: tcp0: I LISTEN 63.64.73.10:46422
> 206.64.200.15:9001 seq 798650460
>         OPTS 4 SYN  WIN 8760
> 002152: Aug 22 11:42:34.518 EDT: TCP0: state was LISTEN -> SYNRCVD [9001 ->
> 63.64.73.10(46422)]
> 002153: Aug 22 11:42:34.518 EDT: TCP: tcb 65A5C940 connection to
> 63.64.73.10:46422, peer MSS 1460, MSS is 516
> 002154: Aug 22 11:42:34.518 EDT: TCP: sending SYN, seq 914587220, ack
> 798650461
> 002155: Aug 22 11:42:34.518 EDT: TCP0: Connection to 63.64.73.10:46422,
> advertising MSS 536
> 002156: Aug 22 11:42:34.518 EDT: tcp0: O SYNRCVD 63.64.73.10:9001
> 206.64.200.15:46422 seq 914587220
>         OPTS 4 ACK 798650461 SYN  WIN 4128
> 002157: Aug 22 11:42:34.518 EDT: tcp0: I SYNRCVD 63.64.73.10:46422
> 206.64.200.15:9001 seq 798650461
>         ACK 914587221  WIN 9112
> 002158: Aug 22 11:42:34.518 EDT: TCP0: state was SYNRCVD -> ESTAB [9001 ->
> 63.64.73.10(46422)]
> 002159: Aug 22 11:42:34.522 EDT: Telnet1: 1 1 251 1
> 002160: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent WILL ECHO (1)
> 002161: Aug 22 11:42:34.522 EDT: Telnet1: 2 2 251 3
> 002162: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent WILL SUPPRESS-GA (3)
> 002163: Aug 22 11:42:34.522 EDT: Telnet1: 80000 80000 253 24
> 002164: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent DO TTY-TYPE (24)
> 002165: Aug 22 11:42:34.522 EDT: Telnet1: 10000000 10000000 253 31
> 002166: Aug 22 11:42:34.522 EDT: TCP1: Telnet sent DO WINDOW-SIZE (31)
> 002167: Aug 22 11:42:34.522 EDT: tcp1: O ESTAB 63.64.73.10:9001
> 206.64.200.15:46422 seq 914587221
>         DATA 12 ACK 798650461 PSH  WIN 4128
> 002168: Aug 22 11:42:34.522 EDT: TCP1: state was ESTAB -> FINWAIT1 [9001 ->
> 63.64.73.10(46422)]
> 002169: Aug 22 11:42:34.526 EDT: tcp1: O FINWAIT1 63.64.73.10:9001
> 206.64.200.15:46422 seq 914587233
>         ACK 798650461 FIN PSH  WIN 4128
> 002170: Aug 22 11:42:34.526 EDT: TCP1: sending FIN
> 002171: Aug 22 11:42:34.526 EDT: TCP: Available resources insufficient
> 002172: Aug 22 11:42:34.526 EDT: tcp1: I FINWAIT1 63.64.73.10:46422
> 206.64.200.15:9001 seq 798650461
>         ACK 914587233  WIN 9112
> 002173: Aug 22 11:42:34.526 EDT: tcp1: I FINWAIT1 63.64.73.10:46422
> 206.64.200.15:9001 seq 798650461
>         ACK 914587234  WIN 9112
> 002174: Aug 22 11:42:34.530 EDT: TCP1: state was FINWAIT1 -> FINWAIT2 [9001
> -> 63.64.73.10(46422)]
> 002175: Aug 22 11:42:34.530 EDT: tcp1: I FINWAIT2 63.64.73.10:46422
> 206.64.200.15:9001 seq 798650461
>         ACK 914587234 FIN  WIN 9112
> 002176: Aug 22 11:42:34.530 EDT: TCP1: FIN processed
> 002177: Aug 22 11:42:34.530 EDT: TCP1: state was FINWAIT2 -> TIMEWAIT [9001
> -> 63.64.73.10(46422)]
> 002178: Aug 22 11:42:34.530 EDT: tcp1: O TIMEWAIT 63.64.73.10:9001
> 206.64.200.15:46422 seq 914587234
>         ACK 798650462  WIN 4128
> 002179: Aug 22 11:42:53.905 EDT: TCP1: state was TIMEWAIT -> CLOSED [9001 ->
> 63.64.73.10(46421)]
> 002180: Aug 22 11:42:53.905 EDT: TCB 0x65AA484C destroyed
> 
> -luan
> 
> 
>  
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Min Qiu
> Sent: Monday, August 22, 2005 10:39 AM
> To: Cheung, Rick; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Router TCP ports
> 
> 2065 could be aux port.
> 
> Min
> 
> 
>>-----Original Message-----
>>From: Cheung, Rick [mailto:Rick.Cheung at nextelpartners.com]
>>Sent: Monday, August 22, 2005 9:39 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: [c-nsp] Router TCP ports
>>
>>
>>
>>	Hi, folks, I have a 2620 running 12.3.13 with the IPSec/FW/IDS 
>>feature set. Doing a port scan against the router, I notice in 
>>addition to 22, ports 2065, 4065, 6065, 9065 open as well.
>>
>>	This is with "transport input ssh" configured on the VTYs. When I 
>>telnet to the router, it resets the connection, as expected. Oddly 
>>enough, telnetting to the router on 2065, 4065, and 6065 reveals the 
>>login banner, and the username prompt, but it does not allow any 
>>input, and it times out within five seconds. Telnetting to port 9065, 
>>the router completes the three way handshake, but immediately resets 
>>the connection; no login prompt.
>>
>>	I'm just curious as to what those ports are. Anyone know?
>>
>>	A 2811 running 12.4.T2 Advanced IP Security also has high numbered 
>>ports open: 2001, 4001, 6001, 9001. It exhibits the same behavior as 
>>with the 2620.
>>
>>
>>
>>
>>Thanks,
>>Rick Cheung
>>NPI IT Wan Analyst
>>585-350-2097 (Desk)
>>178*1*2097 (DAP)

More information about the cisco-nsp mailing list