Good morning,
I do normally run a quick nmap on my external after a deployment, but for whatever reason I decided not to until this morning (go figure).
I have a Cisco router w/ a PPPoE DSL connection with a static IP.
I ran an nmap and I see port 53 (tcp) is open externally -- great. I can telnet to 53, I can do an nslookup using this IP, etc. -- which is less than ideal.
The router has "no ip domain-lookup" enabled, and when I do a "show control-plane host open-ports" -- port 53 is not listed.
Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN tcp *:22 i.p.i.p:1026 SSH-Server ESTABLIS udp *:67 *:0 DHCPD Receive LISTEN udp *:123 *:0 NTP LISTEN udp *:4500 *:0 ISAKMP LISTEN udp *:500 *:0 ISAKMP LISTEN Additionally, I have an ACL on the dialer1 interface (inbound) with the following:
! ip access-list extended OutIn remark *** Guards *** permit tcp any any established deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any remark *** Tunnel *** permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp remark *** Management *** permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit icmp any any traceroute permit tcp any any eq 22 remark *** Deny *** deny ip any any log ! And yet -- 53 remains open (externally) and nslookup still works perfect.
How is this even possible?
Note: If I reboot the router and try pinging the IP, it does go offline -- so it's not an incorrect IP with false positives or anything like that.
Thank-you!
No comments:
Post a Comment