[c-nsp] Port 1720 & 1863

abs abhishake00 at yahoo.com
Wed Dec 23 15:14:20 EST 2009 

doesn't look like it's being intercepted... the traffic goes from my host to the router to my ip address... 

--- On Wed, 12/23/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Cc: "Steve Bertrand" <steve at ibctech.ca>, cisco-nsp at puck.nether.net
Date: Wednesday, December 23, 2009, 2:38 PM

Have you done a tcptraceroute to see if someone is intercepting your tcp/1720?

- Jared

On Dec 23, 2009, at 2:34 PM, abs wrote:

> that makes a lot more sense now.. 
> 
> the box i'm running nmap from is from a remote location.  i am able to telnet into port 1720 and the connection is established (as per netstat -na)
> 
> i also added deny tcp any any eq 1720 at the top of the acl but that still didn't help.  i'm still able to connect to that port using telnet... 
> 
> i even tried removing the established rule but that didn't change anything as well.
> 
> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
> 
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Cc: "Adam Strawson" <adam at thepub.cx>, cisco-nsp at puck.nether.net
> Date: Wednesday, December 23, 2009, 2:20 PM
> 
> abs wrote:
>> that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.  What do you exactly mean by specific?  Wouldn't I have to put a rule for each type of traffic?  
> 
> On an inbound ACL, allowing established TCP sessions means that a TCP
> connection must be made from the 'internal' side of the interface, and
> only inbound TCP traffic that is associated with that session can
> ingress the interface.
> 
> Your 'deny ip any any' at the end would block ALL inbound TCP, other
> than SSH and pre-established (by an internal device) sessions.
> 
> Reviewing your other email (that hasn't hit the list yet), do you happen
> to have an H.323 session established to your nmap box when you see the
> port as open?
> 
> What do you see when you (while on your nmap box):
> 
> % telnet <ip addr> 1720
> % netstat -na | grep 1720
> % netstat -na | grep <ip of remote>
> 
> If you want, provide me with the IP of the box off-list, and I'll scan
> it from one of my hosts.
> 
> Steve
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list