1. Home
  2. Cisco Systems
  3. Please clarify about opened ports/service

Please clarify about opened ports/service

Guys,

I was told by a vendor to have ports 80, 443, and 3001 opened for both directions for this pc that the HR uses.

I went in and added the service through the pdm using the "Managed Service Groups" for the service/ports.

When I did a port scan, the 3001 & 443 ports still show as "stealth". Any idea?

Here is my show running-config. This is just the config for outside coming in inside (destination) only.

Thanks, Tony

------------------------------------------------------------------- PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names object-group service myservicegroup tcp description testing port-object eq www port-object eq https port-object eq 3001 access-list inside_access_in permit ip any any access-list 101 permit tcp any host 66.159.AAA.AA eq smtp access-list outside_access_in remark Test access-list outside_access_in permit tcp any any object-group myservicegroup pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside 66.159.AAA.AA 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN_Client 192.168.1.101-192.168.1.125 pdm location 192.168.1.96 255.255.255.224 outside pdm location 192.168.1.2 255.255.255.255 inside pdm logging debugging 101 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 66.159.AAA.A 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local VPN_Client vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username tony password ********* vpdn username tracy password ********* vpdn enable outside vpdn enable inside dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80
Reply to
tractng
Loading thread data ...

In article , snipped-for-privacy@gmail.com wrote: :I was told by a vendor to have ports 80, 443, and 3001 opened for both :directions for this pc that the HR uses.

:I went in and added the service through the pdm using the "Managed :Service Groups" for the service/ports.

:When I did a port scan, the 3001 & 443 ports still show as "stealth". :Any idea?

"Stealth"? Have you been relying on grc.com ?

You did mention pdm earlier, which implied PIX, but as this newsgroup deals with several devices with overlapping management software, it's always good to mention the device type explicitly early on.

You should note that PIX 6.3(1) has several known security holes, and that free upgrades are available to 6.3(4). [Someone had trouble recently getting 6.3(4) itself free, but I pointed them to the relevant URL.]

:object-group service myservicegroup tcp :description testing :port-object eq www :port-object eq https :port-object eq 3001

:access-list outside_access_in remark Test :access-list outside_access_in permit tcp any any object-group myservicegroup

:ip address outside 66.159.AAA.AA 255.255.255.0 :ip address inside 192.168.1.1 255.255.255.0

:global (outside) 1 interface :nat (inside) 1 0.0.0.0 0.0.0.0 0 0 :access-group outside_access_in in interface outside

You don't have any 'static' commands (or the technical equivilent), so the PIX isn't going to allow in any new incoming connections.

static (inside,outside) PCPUBLICIP PCINTERNALIP netmask 255.255.255.255 0 0

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.