ACL filter tcp port

Similar Messages

• Extended ACL TCP port control

  Hi all,
  I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
  I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
  Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.

  Hi,
  Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
  interface Vlan2
  description For Mail
  ip address 1.1.1.129 255.255.255.0
  ip access-group 2002 in
  end
  C6500#sh access-li 2002
  Extended IP access list 2002
  10 permit icmp any any (272 matches)
  20 permit tcp host 1.1.1.0 any syn (10467 matches)
  30 permit tcp host 1.1.1.0 any ack (781 matches)
  40 permit tcp host 1.1.1.190 eq smtp any
  50 permit tcp host 1.1.1.190 eq pop3 any
  60 permit tcp host 1.1.1.192 eq smtp any
  70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
  80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
  When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
  Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well.

• Unknown open TCP ports on router

  Anyone know how to close these open ports on my Cisco 7606 router?
  Anyone know what these TCP ports are used for?
  49   - Not sure what this one is other than what IANA reports about TCP port 49
  4510
  4509
  2222
  I'm sure I could add an ACL to block communications to my router based on this ports but would rather figure out how to close 'em so this already overloaded router doesn't have additional processing.
  Cisco-7606# sh tcp br all
  TCB       Local Address           Foreign Address           (state)
  12EFC1C0  172.16.8.3.14401        10.8.2.14.49              TIMEWAIT
  1CC4F57C  172.16.8.3.26963        10.8.2.14.49              TIMEWAIT
  1A419F90  0.0.0.0.4510            *.*                       LISTEN
  1C581740  0.0.0.0.4509            *.*                       LISTEN
  1A417BBC  0.0.0.0.2222            *.*                       LISTEN
  12FB03A8  10.8.10.2.2222          10.8.1.42.4690            CLOSEWAIT
  12FB099C  10.8.10.2.2222          10.8.1.42.2233            CLOSEWAIT
  12FA7DF0  10.10.0.3.2222          10.8.1.15.4878            CLOSEWAIT
  1CD47780  10.10.0.3.2222          10.8.1.15.3917            CLOSEWAIT
  1CDDBCE0  10.8.10.2.2222          10.8.1.42.3964            CLOSEWAIT
  Cisco-7606# sh ver | i image
  System image file is "disk0:c7600rsp72043-advipservicesk9-mz.122-33.SRD3.bin"
  Tks
  Frank

  Frank
  I can offer some suggestion about one of your port numbers. TCP port 49 is used for TACACS. If you are using TACACS for authentication, or authorization, or accounting then we know why port 49 is open and blocking TCP49 will prevent TACACS from working with your router.
  I have no insights or suggestions about the other port numbers that you mention.
  HTH
  Rick

• Route decisions based on destination TCP port with EIGRP

  Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port.  I have a third party partner that we communicate too and they are adding a second location which we will connect too.  They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B.  I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue.  We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP.  Can EIGRP make decisions based on IP and Port?

  No routing protocol makes decisions based on port number as far as I know.
  You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
  Depending on your connections you may well need to use tracking as well but it depends.
  If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
  If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back.

• Need to accept incoming TCP port

  Hi All
  I manage a netware small business suite 6.5 server at the radio station where i work. The problem is that we have a peer-2-peer app that we use to transfer data between our 'sister' stations all over the country. Essentially, I'm wondering how to go about setting up a filter to allow incoming connections on TCP port 6699 for example ?? I had a hack at it and basically came up with the following:
  Source Interface: Public
  Destination InterfaceL All Interfaces
  protocol: TCP
  Src Ports: All
  Dest Ports: 6699
  ACK Bit Filt: disabled
  Stateful Filt: Enabled
  Scr Addr Type: Host
  Src IP Add: xxx.xxx.xxx.xx
  Dest Addr Type: Any Address
  Will this allow port 6699 through? This may be the wrong newsgroup for this next question, but will i need to get some BorderManager Access rules going also to allow it through?
  Thanks All! Any and all help appreciated!
  Joel

  [email protected] wrote:
  > Source Interface: Public
  > Destination InterfaceL All Interfaces
  > protocol: TCP
  > Src Ports: All
  > Dest Ports: 6699
  > ACK Bit Filt: disabled
  > Stateful Filt: Enabled
  > Scr Addr Type: Host
  > Src IP Add: xxx.xxx.xxx.xx
  > Dest Addr Type: Any Address
  >
  > Will this allow port 6699 through?
  Yes, your statefule exception will allow inbound TCP connections on
  6699, and the dynamic "response" packets to let the traffic back out.
  Whether this will actually work or not depends on how the P2P app works.
  I assume the app at *your* location will need to be able to initiate
  connections with other hosts, and this filter will not allow that. You'd
  need one going in the other direction as well.
  Jim
  NSC SYsop

• How to get the number of bytes at TCP port

  Hi all,
  How to get the number of bytes to read at the TCp port...as someone had suggested in some forum we do read the number of bytes first and then pass this...
  but we get a problem when we have FF data in this...because then it sends 2 FF data...and cause of this we skip the last data...is there any solution for the same?

  Hi
  In LabVIEW you don't have the same property as in serail port.
  You havn't "Byte at TCPIP port".
  if you developp a protocol, one soltion, is to send the size to read.
  Ingénieur d'Application / Développeur LabVIEW Certifié (CLD)
  Application Engineer / LabVIEW Certified Developer (CLD)

• Bypassing TCP port 25 restriction (i.e. worst ISP EVER; Mail is not allowed

  Hi
  The private company that runs my DOES NOT ALLOW Smtp connections on its "hi speed internet connection".
  Meaning that Mail cannot function and I have to check via webmail.
  I'm serious.
  Their FAQ states:
  Can I use email clients such as Microsoft Outlook or Outlook Express to send and receive emails?
  No, you will only be able to use web browser based email such as Hotmail or Gmail; this is due to limitations (on TCP port 25) which have been implemented to protect you against other computer users sending unsolicited bulk emails (SPAM) via your computer.
  Does anyone know a way to get around this as I NEED the functionality of Mail.....
  Also,
  Are all British ISPs this ridiculous?
  Dieing to find a solution to this....... Many Many Many Many Thanks
  PS. I already paid extra ($250USD) to enable 'super' internet which doesnt throttle VOIP, STREAMING, gaming, P2P etc.
  Luke

  Beginning January 1, 2006 Port 587 has been standardized as the port to use for authenticated SMTP servers although most will still work with Port 25 as well. More and more ISPs are blocking port 25 as various jurisdictions are holding them responsible for spam and/or viruses originating on their network. With unauthenticated SMTP anyone can send using that server whether they have an account or not. So the ISPs block that port with the sole exception of their own SMTP server so they can scan the messages for spam and viruses. With an authenticated SMTP server where a valid account id and password are required to send messages the provider of the server assumes the responsibility for scanning all traffic through their server thus relieving the ISP of the liability.
  Whether you think this is a big brother step or not, with estimates that spam on the internet is running as high as 70% of all email traffic, if it weren't for restrictions like this email would rapidly become an unusable tool. The only annoying thing I have found about this is how few ISP Tech Support people know about this. To often their solution is "you can only use another email provider through their webmail interface."

• ACS 5.5 SFTP repository non-standard TCP port

  is it possible to change the TCP port in a SFTP repository from 22 to something different  ?
  like this is not working
  repository sftp1
    url sftp://10.10.0.8:22222/user1
    user user1 password hash bc14bc179d2708cc31cbc22ee6a679cd22c095a1

  There is not much information inside the defect. We've been seeing different customer's experiencing this issue. 
  <B>Symptom:</B>
  SFTP stops working after upgrading to  ACS 5.5
  <B>Conditions:</B>
  once we upgrade to ACS 5.5
  <B>Workaround:</B>
  NA
  Try this one, this should work
  https://tools.cisco.com/bugsearch/bug/CSCum93359/?reffering_site=dumpcr
  Regards,
  Jatin
  **Do rate helpful posts**

• Http probe on non-standard tcp port 8021

  I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
  CSM v2.3(3)2
  probe 8021 http
  request method head
  interval 2
  retries 2
  failed 4
  port 8021
  serverfarm TEST
  nat server
  no nat client
  real 10.1.2.101
  inservice
  real 10.1.2.102
  inservice
  probe 8021
  vserver TEST
  virtual 10.1.2.100 tcp 8021
  serverfarm TEST
  replicate csrp connection
  persistent rebalance
  inservice
  VIP and real status:
  vserver type prot virtual vlan state conns
  Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
  real server farm weight state conns/hits
  10.1.2.101 TEST 8 PROBE_FAILED 0
  10.1.2.102 TEST 8 PROBE_FAILED 0

  you need to specify what HTTP response code you expect.
  The command is :
  gdufour-cat6k-2(config-slb-probe-http)#expect status ?
  <0-999> expected status - minimum value in a range
  The default is to expect only 200.
  This is why your 403 is not accepted.
  Gilles.

• Smbclient wants to connect to TCP port 139

  On my Powerbook, using Little Snitch under certain conditions (undetermined) I get the following message repeatedly, I am not connected to a network (except for Airport) or printer:
  The application "smbclient" wants to connect to 192.168.131.65 on TCP port 139 (netbios-ssn)
  What is this all about - thanks.
  PB G4 Al 17"    

  Airport is as much of a network as Ethernet is. Port 139 is the normal port for SMB connections. (At the terminal, try "grep 139 /etc/services".) What you want to do is figure out where your Powerbook was connecting to a Windows file or printer server on network 192.168.0.0 or 192.168.131.0. Are either of those the network address for your Airport network? You can see this in your Network settings.
  Login Items is the first place to look for an alias that might trigger an automated mount, but another application (other than the Finder) could be looking for a file server, too (as another posted mentioned). You could try to grep for "192.168.131.65" in all the files in your Preferences folder, except if you have 10.4 they might all be binary now and you'd have to convert them to xml text first, using plutil (again in Terminal).

• LMS 4.2 Why is TCP port 514 used and how to close it?

  An internal security scan showed that TCP port 514 is open on the Cisco Prime LMS 4.2.4 server.  The security team is concerned that this port is commonly used for rsh, which is not encrypted and may use plain text logins or poorly authenticated logins.  The port being open is documented in the "Installing and Migrating ..." manual for LMS 4.2 where it says that this TCP port 514 is used for Remote Copy Protocol in the direction from the server to device.  The well-known port associated with a service is usually on the target host, not on the host that initiates the connection, so this is a little confusing.  I see that there is no rsh service in /etc/inetd.conf, but there is an rsh service in /etc/xinetd.conf.  This LMS is not configured to use RCP for anything, as far as I can tell.
  Can I close TCP port 514 on this server without disasterous results, and how do I do that?
  Or, how do I satisfy the security team that having this port open is not a security concern?
  Thanks for any help.
  Dave

  I have a love/hate relationship with security audits like that. Happy to know the profile of a server but then hating to have to justify everything their "report" "concludes" (95% of which is usually just dressed up too output from Nessus or whatever).
  Problem is with appliance servers running a packaged application like LMS, mucking with the OS settings (rc files etc.) can break things in unexpected ways. I'm more in favor of putting it on a segmented network and applying access-control lists or firewall rules inbound vs. trying to take apart the system and put it back together using only the parts you think are necessary (a bit of hyperbole there but it's to make a point).
  Call it defense in depth and declare victory and then move on with using the tool to actually manage the network instead of defending its configuration to the Stasi.

• Tomcat Servlet - TCP Port Already in Use?

  My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.
  My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
  Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
  I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
  2.5 years with Java. 5 years with Linux and C.
  Please advise or refer

  rwengr wrote:
  My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.Nice.... Not sure that matters though.
  >
  My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
  Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). Bleah! Don't use a JSP for that. Use a servlet at worst. At best use a Servlet to start some other socket manager class which you can/have tested outside the Servlet Container environment.
  After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
  I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. Closing the browser window has no affect on the server.
  No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
  2.5 years with Java. 5 years with Linux and C.
  Please advise or referShow some code. If you just want some generic advice it would be to close the port, as soon as you don't need it anymore. But you know that. Without any further code I think that is about all that can be said.
  P.S. Make the code as small as possible, compilable, but still demonstrating the problem. Also see: [this tutorial as an example...|http://www.javaworld.com/javaworld/jw-12-1996/jw-12-sockets.html?page=1]

• [SQL QUERY] Select TCP Port Monitors and their related Watcher Node

  Hi everybody,
  I'm working on a SSRS report and SQL Query, I have no problem to find all my TCP Port Monitor (SCOM 2012 R2) based on the DisplayName, but I can't figure out how to get their related watcher nodes (in my case only 1 computer is a watcher node).
  I can't find which table, which field, contains this information..?
  Here is the query i started to write (i select * since i still searching for the right column):
  SELECT
  FROM StateView s
  INNER JOIN BaseManagedEntity me on me.BaseManagedEntityId=s.BaseManagedEntityId
  INNER JOIN MonitorView mv on mv.Id=s.MonitorId
  INNER JOIN ManagedTypeView mtv on mtv.Id=s.TargetManagedEntityType
  --where mv.DisplayName like 'Ping Target Status Check%'
  AND me.IsDeleted = '0'
  where mv.DisplayName like '%tcpmon%'
  and mv.LanguageCode = 'ENU'
  --and s.HealthState in (@state)
  ORDER BY s.Lastmodified DESC
  It would be great if someone can help me !
  Thanks,
  Julien

  Hi,
  After creating a TCP port monitor, we can find a table for this monitor under operationsmanager database :
  SELECT *
  FROM [OperationsManager].[dbo].[MT_TCPPortCheck_******WatcherComputersGroup]
  You will find the warcher computer group.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Pre-Requisite Check SQL Server 2012 SP2 TCP Port Enabled Error

  When doing the pre-requisite check to install SCCM (CAS) using an instance of SQL Server 2012 SP2, you get the following error even though SQL Server TCP port has been enabled, set to static port 4022 on the IP addresses in use in SQL Server Configuration
  Manager under Protocols for <SQLInstanceName>: configuration manager primary site and central administration site require sql server tcp enables and set to static port
  To resolve this issue, make sure "4022" is also set in the IPAll node in SQL Server Configuration Manager under Protocols for <SQLInstanceName> then restart the SQL Service and re-run the pre-requisite check and you should be good to go.
  To avoid SCCM SQL-related install failure, keep in mind that SCCM SQL Service Broker (SSB) (used to replicate data between database sites) is set to port 4022 by default. This is different from and cannot be same as the tcp static port set in SQL Server
  Configuration Manager under Protocols for <SQLInstanceName>. For example SSB can use its default tcp port 4022 while a static tcp port of 4023 can be set in SQL Server Configuration Manager under Protocols for <SQLInstanceName> or vice-versa. The
  SCCM SSB port number can be adjusted during SCCM installation on the Database Information page. My take it so change SSB port to 4023 and leave SQL default port at 4022 since SQL serves potentially many apps while SSB is used within/by SCCM.
  If you are getting errors relating to SQL Server service running accounts, SQL Server Collation, and/or SQL Server sysadmin rights while attempting to install a primary site, unselect the SCCM installation option to install default settings at the beginning
  of the install process.
  Also, ensure to install important updates and restart the server.

  Thank you for sharing.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Agentry Client 6.1.3 installation with preconfigure SMP server name et TCP Port

  Hi,
  I'm looking for a way to deploy an Agentry Client (version 6.1.3.xxx) on multiple devices without having to manually specify the SMP server name and TCP port.
  When the user get's it, I just want him to only enter his credential to start the first synch/config process.
  Anyway do easily do that?
  Thanks for your help!
  Eric

  Hi Bill,
  Here's what I did in more detail so you can pin point what I do wrong (hopefully :-)).
  First I extracted the branding files of the Agentry_6.1.3.10212_ClientWin32.exe.
  Agentry_6.1.3.10212_ClientWin32.exe /Branding=D:\Temp\Agentry.
  This is the directory and file structure I got out of it.
  The 2 directories are created as you mentionned.
  If I browse to the AgentryClient_Win32 directory I see thoses files:
  If I browse the Installer directory I see :
  The Include and Plugins directories are as follow :
  I still can't find the AgentryClient.exe.config file???
  Eric