1. Home
  2. Cisco Systems
  3. Cisco 877 - Stealth Port Scan

Cisco 877 - Stealth Port Scan

Hi,

My router has had constant hacking attempts so I have spent all night trying to get all of my ports returning stealth when I run a port scan but I haven't had much luck.

I have found a way to do it from the Internet but my port forwards no longer work.

The configuration is as follows:

ip inspect name Internet tcp router-traffic ip inspect name Internet udp router-traffic ip inspect name Internet icmp router-traffic

access-list 102 permit ip any 192.168.0.0 0.0.0.255 access-list 102 deny ip any any

int dialer0 ip access-group 102 in no ip unreachables ip nat outside ip inspect Internet out ip inspect Internet in ip virtual-reassembly

For some reason, as soon as I apply access-group 102 to the dialer0 interface, my port forwards cease to work but I am still able to open web pages etc.

An example of a port forward would be the following: ip nat inside source list 101 interface Dialer0 overload ip nat inside source static udp 192.168.0.2 9002 interface Dialer0 9002 ip nat inside source static tcp 192.168.0.2 9002 interface Dialer0 9002

If anyone can assist me it would be great!

Thanks

Peter

Reply to
Peter Danes
Loading thread data ...

dialer0 is your outside interface, so the "in" access-group will be processed

-before- NAT is applied. Thus it must have the public destinations.

Reply to
Walter Roberson

Thanks for the reply Walter.

Can you or some one elaborate on what I need to do exactly?

Reply to
Peter Danes

Anyone...? =)

Reply to
Peter Danes

You need to add to the ACL 102 permit statements to allow your inbound traffic in.

You NEED to specify the address of dialer 0. If you have a dynamic address then this will be a limitation but unless you are getting hit from your ISP you will be able to work around it.

Lets use a.b.c.d to represent your dialer 0 IP address.

This one does nothing useful to you access-list 102 permit ip any 192.168.0.0 0.0.0.255

You do need: access-list 102 permit udp any host a.b.c.d eq 9002 access-list 102 permit tcp any host a.b.c.d eq 9002 access-list 102 deny ip any any

If your IP address changes a lot you could do something like

access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002 access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002 access-list 102 deny ip any any

Choose the wildcard length to match your possible IP address range.

Reply to
Bod43

The above worked like a charm so give yourself a pat on the back for a job well done.

Thanks so much!

Reply to
Peter Danes

Doh! I spoke too soon.

My port forwards are still broken, the ports are stealth though.

Here is an example of the my port forward if it will help at all.

ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009 ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009

Reply to
Peter Danes

I have it figured out now so sorry about the last post.

For anyone interested, I had to create an ACL for every port forwarded. =)

Reply to
Peter Danes

Hide quoted text -

That would be required.

Reply to
Bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.