I'm running 12.2(11)T ip/fw/ids/3DES..... The scan came back with Cu-seeme, talk, tftp, rpc-nfs, rwho, biff, name, rpc-portmapper, rwho, snmp-agent, syslog, dhcp, dns, etc... Since the router is fundamentally a unix box I can see this happening... How the heck do ya shutdown the services? Also tried shutting down the VoIP stuff... No go! I didn't think an ACL would be useful given the services appear to be running on the router itself. Kinda like stopping a service on a *nix or windoz computer. Plz lemme know your thoughts....
version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Lhotse no logging console aaa new-model ! aaa authentication login ops line aaa session-id common enable secret enable password ! ip subnet-zero no ip source-route ! no ip domain lookup ip domain name abnamrousa.com ! no ip bootp server ip audit notify log ip audit po max-events 100 ! mta receive maximum-recipients 0 ! interface Ethernet0/0 ip address x.x.x.x 255.255.255.0 ip access-group 2 out ip nat inside half-duplex no cdp enable ! interface Serial0/0 bandwidth 1536 no ip address no ip redirects no ip unreachables encapsulation frame-relay IETF no ip route-cache no ip mroute-cache no fair-queue service-module t1 timeslots 1-24 frame-relay lmi-type ansi ! interface Serial0/0.1 point-to-point bandwidth 1536 ip address y.y.y.y 255.255.255.252 ip access-group 1 in no ip redirects no ip unreachables ip nat outside no ip route-cache no ip mroute-cache no cdp enable frame-relay interface-dlci 501 IETF ! interface Ethernet0/1 no ip address shutdown half-duplex no cdp enable ! interface Serial0/1 no ip address no keepalive shutdown no cdp enable ! ip classless no ip http server ! access-list 1 deny 65.204.141.10 access-list 1 deny 65.204.68.194 access-list 1 deny 65.204.132.5 access-list 1 deny 65.3.0.83 access-list 1 deny 65.204.176.42 access-list 1 deny 80.132.79.133 access-list 1 deny 65.5.36.66 access-list 1 deny 65.0.13.111 access-list 1 deny 65.204.21.189 access-list 1 deny 65.204.103.194 access-list 1 deny 65.204.95.250 access-list 1 deny 65.204.103.196 access-list 1 deny 65.204.39.133 access-list 1 deny 65.204.232.83 access-list 1 deny 65.204.212.31 access-list 1 deny 65.196.200.11 access-list 1 deny 65.115.13.98 access-list 1 deny 65.204.39.244 access-list 1 deny 65.204.222.51 access-list 1 deny 65.204.219.50 access-list 1 deny 65.195.0.229 access-list 1 deny 65.204.176.77 access-list 1 deny 65.204.135.120 access-list 1 deny 65.204.57.200 access-list 1 deny 64.168.217.182 access-list 1 deny 65.204.38.59 access-list 1 deny 65.204.73.87 access-list 1 deny 65.204.0.30 access-list 1 deny 65.204.118.100 access-list 1 deny 65.204.220.227 access-list 1 deny 65.204.61.3 access-list 1 deny 65.204.29.36 access-list 1 deny 65.204.135.200 access-list 1 deny 65.204.135.205 access-list 1 deny 65.204.240.181 access-list 1 deny 65.204.135.209 access-list 1 deny 65.204.135.214 access-list 1 deny 65.204.160.201 access-list 1 deny 65.204.160.200 access-list 1 deny 65.204.103.2 access-list 1 deny 65.204.160.199 access-list 1 deny 65.204.160.198 access-list 1 deny 65.204.160.195 access-list 1 deny 65.204.202.180 access-list 1 deny 65.204.202.179 access-list 1 deny 65.204.49.67 access-list 1 deny 65.204.125.0 0.0.0.255 access-list 1 permit any access-list 2 deny 199.172.158.0 0.0.0.255 access-list 2 deny 128.242.104.0 0.0.0.255 access-list 2 permit any access-list 13 permit x.x.x.x no cdp run ! no call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 access-class 13 in password login authentication ops transport input ssh ! end -----Original Message----- From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 11:14 AM To: [EMAIL PROTECTED] Subject: RE: IOS upgrade/Strange services [7:53492] What's the version of IOS? What's your Access-lists look like?? Truthfully, AFAIK, the only way that all of those services could be detected from multiple hosts after performing a port scan (assuming from the "far-end"/"outside" interface) is from either A) not having access-lists defined and static NAT is in place for each of the hosts in question, or B) there are access-lists in place, but said ACLs are being used/implemented incorrectly... i.e., Something like acl 101 permit ip any any rather than a more granular set of permit statements and a deny for everything else. Can you post a scrubbed version of your config for this router?? -Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53562&t=53492 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]