NAT default open ports

I want to use the NAT firewall of AirPort Express.I scan APE ports when NO ports are forwarded and these ports are open by default:
Open TCP Port:           21                         ftp
           Open TCP Port:           53                         domain
           Open TCP Port:           139                        netbios-ssn
           Open TCP Port:           445                        microsoft-ds
           Open TCP Port:           548                        afpovertcp
           Open TCP Port:           554                        rtsp
           Open TCP Port:           5009                       winfs
           Open TCP Port:           7070                       arcp
My question is why?
And there are some way to close some?
I don't use FTP and other services.

By default, all inbound ports on the Apple routers are closed already, but they are not designed to be stealthy. As such, certain utilities can see them as open.
Please check out the following Chron article. It may be a bit outdated but I think it drives the point across why Apple decided not to make their base station ports stealthy.

Similar Messages

Mac OS X Leopard Firewall/default open ports rpcbind?

Hi,
I'm looking into hardening/securing mac os x leopard and noticed that port 111 rpcbind is open. Is rpcbind open by default? What are leopards default open ports on a fresh install?
Also is there any way to run openbsd/freebsd PF firewall?
Thanks!

This is what nmap reports:
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-02 12:28 EST
Warning: Unable to open interface vmnet8 -- skipping it.
Warning: Unable to open interface vmnet1 -- skipping it.
Interesting ports on localhost (127.0.0.1):
Not shown: 993 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
631/tcp open ipp
1021/tcp open unknown
1022/tcp open unknown
1023/tcp open netvenuechat
2049/tcp open nfs
49152/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
nestat -a | grep LISTEN confirms:
tcp6 0 0 localhost.ipp . LISTEN
tcp4 0 0 *.49152 . LISTEN
tcp4 0 0 *.1021 . LISTEN
tcp4 0 0 *.1022 . LISTEN
tcp4 0 0 *.sunrpc . LISTEN
tcp4 0 0 *.nfsd . LISTEN
tcp4 0 0 *.1023 . LISTEN
tcp4 0 0 localhost.ipp . LISTEN
tcp6 0 0 localhost.ipp . LISTEN
Not too sure what netvenuechat is and I have no idea why NFS is open/running. I'm not connecting to any NFS shares. How do I lock everything down?
Any suggested IPFW rules?
Here is what 'ipfw show' returns:
3300 36 2160 deny icmp from any to me in icmptypes 8
65535 866558 351141790 allow ip from any to any
Thanks,
Juan

Confusion/frustration opening ports

I better give the situation first.
My brother and I play FFXI (Final Fantasy 11) on two computers. We login and after about 5-10 minutes we get a time out error message. Anyone who knows FFXI knows about R0 (recieving) and S0 (sending). At the moment its our Sending signal that is droping and causing the time out error.
I called Square Enix and was told we needed to open ports. I figure that should be easy, so I go online and on their site find the list of ports to open.
TCP:
25, 80, 110, 443 or 50000 - 65535
UDP:
50000 - 65535
So I login to the router admin after turning off norton and windows firewalls on all computers. On the Port Triggering page there is not only the Port Triggering option but also Port Forwarding options. From what I understand we dont' need Port Forwarding. So I set up with this
Aplication: PlayOnline (name on desktop icon actual file is pol.boot but doesn't work)
Triggering range 25-65535 (was hoping to use one port range.)
I left the Port Frowarding section alone and checked the "Enable" box and save settings.
It didn't help. I even enabled UPNP on both the router firewall and on the POL Settings, still didn't help.
Any help on this is greatly appreciated. I don't want to do a DMZ because we need ports for both computers open and eventually the 3rd (backup) incase one of these crash. We are ready to scream.
Message Edited by unacorn on 10-16-2007 08:34 PM

No. Port triggering and port forwarding and DMZ are different ways how to open ports on the router to be used inside your network. There is always some kind of server involved in the LAN for that. A server in this sense can also be your game which opens various ports on your computer and listens for incoming traffic on those ports. But as you are running a router with network address translation (NAT) those open ports on the computer cannot be seen from the internet by default. Your computer has a private IP address 192.168.1.* which cannot be accessed directly from the internet. NAT maps the single public IP address to multiple private IP addresses. By default the router does drop any incoming traffic from the internet simply because it does not know where to send it. If a computer inside your LAN sends something out before, then the router will accept the returning answer and forwards it to the computer which send the data out before. But this only works if a computer inside first initiates the connection. If your computer on 192.168.1.50 connects to www.linksys.com the router remembers that it was 192.168.1.50 that connected to www.linksys.com and will forward the responds from www.linksys.com back to 192.168.1.50 (obviously this is a little bit simplified but the basics are correct).
To accept unrelated traffic from the internet to get into your LAN and reach a computer you have to tell the router what it should do. That is port forwarding. If something arrives on port 25 it will always forward the traffic to a specific computer defined in the forwarding. This may be necessary in case in multi-player games where other people from other IP addresses have to send you something before you ever send something to them. That's an example when you need forwarding. Your game application on your computer is the "server" then because it listens/opens some ports on the computer which must be accessible from the internet for unrelated traffic. Otherwise unrelated incoming traffic is dropped.
Port triggering is a way to dynamically add some port forwardings depending on previous outgoing traffic. For example, you can forward some port 2525 on traffic on port 25. This means if a computer inside the LAN connects to port 25 the router will dynamically establish incoming port forwarding on port 2525 to the same computer inside the LAN which used port 25 before. It depends on the router for how long this forwarding will be active. It also won't help you if you require the same port forwardings at the same time on two or more computers inside your LAN connecting to the same server in the internet. At any given time it is only possible to forward a port to a single computer inside the LAN.
Connections from the LAN to internet servers are not affect by either port forwarding or port triggering. By default, any computer in the LAN can access any server at any port in the internet.
Many ISPs only assign you a single public IP address. You cannot connect multiple computers or routers at the same time to the modem then. Check with your ISP if it is possible to connect multiple devices to the modem and get multiple public IP addresses.
If you can I would think about whether you really want to get a second router or whether you simply connect both computers directly to the modem and use it that way. There is little benefit hooking up a second router with a second set of port forwardings.

Default LaunchDaemons and open ports?

I recently have written a port scanner for a project at my university and after running it, I discovered that a large portion of my Macbooks' well known ports was open.
These were 21 (ftp), 22 (ssh), 23 (telnet), 53 (domain), 79 (finger)!!, 88 (kerberos), 512 (exec)!!, 513 (login), and a bunch of others (see picture below for open ports - afterwards entered @ grc.com).
I checked, if they are reachable from the internet (see picture below). They were not, but that does not say a lot(?), because if someone wanted to make a bot out of my Mac or collect data from it, this person could contact a C&C server from my machine and start communicating without opening any port of the NAT router, as the router allows bidirectional communication if started by the client(?).
I checked, if these ports are reachable from within a local network, by requesting the services behind them from another computer running Linux. And they are! Everyone within the Non-VPN networks of my university was and is able to fetch personal information from me over fingerd! To prevent further leakage, I will block any incoming connections from now on.
> finger user@{Macbook's IP}
same output as when running locally
> finger user@localhost
[localhost]
Trying ::1...
Login: MyUserName Name: MyNameReplaced
Directory: /Users/MyUserName Shell: /usr/local/bin/fish
On since Sun Oct 26 13:02 (CET) on console, idle 7:52 (messages off)
On since Sun Oct 26 17:15 (CET) on ttys000
On since Sun Oct 26 20:25 (CET) on ttys001, idle 0:05
No Mail.
No Plan.
I am able to login to the Mac via telnet over the LAN, etc.
I checked the configuration of my firewall. It is/was activated. Signed software is allowed to accept incoming connections. Cloaking is not activated and I am not blocking every incoming connection. There are five services in the list below, they are all from Apple. I can not remove them. The minus button is grayed out.
When I ticked 'Block all incoming connections', the services behind the ports were no longer detectable/reachable from the LAN, but the daemons are still running on the Mac!
So my question is, why are these daemons running?! Why on earth is the fingerd running or exec?! This seems not normal. Who has started them (software or person)? I strongly limit access to my computer. I always lock it, when leaving it unattended. I use NoScript in Firefox. Never do I open attachments from mails.
I checked the Mac of a friend with my PortScanner (in his LAN and on his Mac) and his has none of the ports open mine has.
I have not checked my ports/firewall for a long time, so I can't remember if those ports were closed at any time before.
Meanwhile I will read something about launchd, to gather more information.

I'm not an expert on this, but I'm not certain what you are concerned about. All messaging in unix systems is done through ports, and so a variety of ports need to be open for normal system operations. OS X out-of-the-box probably strikes a balance between convenience and paranoia - ports that might be more secure closed left open by default so that novice users aren't driven out of their wits - but I can't imagine that it leaves open anything that constitutes a true vulnerability. Or if it does, you should file a bug report.
I'm told every med student suffers from hypochondria at one point or another, and I know that every comp sci student will sooner or later have a short freak-out over security. So take a deep breath...

Open ports in zones

I am encountering a strange behavior in new zones created using zonemgr 2.0.6 (this is the only way I create zones, so I do not know if the issue is more general). When I create a new zone, two strange things are happening:
1. Immediately after the zone is created, no services are running, not even ssh
2. About 10 minutes later, a whole bunch of services are running. Most of these are not running on the global zone.
For reference, nmap output on the global zone is the following:
[dcomsm1@dcomsm1:~] $ nmap t2000
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 20:51 EST
Interesting ports on 131.247.16.134:
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2161/tcp open apc-agent
3052/tcp open powerchute
4045/tcp open lockd
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
The new zone is created using the following zonemgr arguments:
[root@t2000:~/zonecfgs] # more ./temp.sh
#!/usr/bin/bash
./zonemgr -a add -n drenkhah -z "/export/zones" -P "root_pw" -I "131.247.16.159|e1000g0|25|drenkhah" -R "/root|/usr/bin/bash" -s "basic|lock"
zone creation output is as follows:
[root@t2000:~/zonecfgs] # ./temp.sh
Checking to see if the zone IP address (131.247.16.159) is already in use...IP is available.
cannot create '/drenkhah': leading slash in name
chmod: WARNING: can't access /export/zones/drenkhah
chown: /export/zones/drenkhah: No such file or directory
Zone drenkhah will be placed in the following directory: /export/zones/drenkhah
Preparing to install zone <drenkhah>.
Creating list of files to copy from the global zone.
Copying <2568> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1042> packages on the zone.
Initialized <1042> packages on zone.
Zone <drenkhah> is initialized.
The file </export/zones/drenkhah/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
Creating the sysidcfg file for automated zone configuration.
Booting zone for the first time.
Waiting for first boot tasks to complete.
Waiting for automatic post-install reboot to complete
Updating netmask information.
Updating /etc/inet/hosts of the global zone with the drenkhah IP information.
Generating ssh host keys. Details in the (/root/.zonemgr/zone28330-ssh.log) file.
svcadm: Pattern 'svc:/network/ssh' doesn't match any instances
Setting the root user's home directory to /root
Setting the root user's shell to /usr/bin/bash
Disabling un-necessary services via basic method for the default services.
Zone drenkhah is complete and ready to use.
nmap output just after creating the zone is as follows:
[dcomsm1@dcomsm1:~] $ nmap drenkhah
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 17:53 EST
All 1000 scanned ports on 131.247.16.159 are closed
Nmap done: 1 IP address (1 host up) scanned in 29.39 seconds
nmap output 17 minutes later is as follows:
[dcomsm1@dcomsm1:~] $ nmap drenkhah
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 18:10 EST
Interesting ports on 131.247.16.159:
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
111/tcp open rpcbind
513/tcp open login
514/tcp open shell
587/tcp open submission
4045/tcp open lockd
6112/tcp open dtspc
6788/tcp open unknown
6789/tcp open ibm-db2-admin
7100/tcp open font-service
Nmap done: 1 IP address (1 host up) scanned in 29.25 seconds
Note that there are many open ports
# uname -a
SunOS t2000 5.10 Generic_137137-09 sun4v sparc SUNW,Sun-Fire-T200
Thanks
Manish

The Leopard OS X firewall is application based and not port based. Honestly, I haven't played with it enough to know for certain how to answer your question.
But... when you do connection sharing, you're essentially doing a port based NAT for the systems on the other side of your Mac. This pretty much keeps you from initiating anything to the other system even without a local firewall unless you were to configure port forwarding.
As for blocking packets, you would need to use the 'ipfw' command to do things at the port level.

Help open port on ASA5510 (version 8.3)

Hi all,
I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900
If i configured with only one port 5900 or 3389, is't ok, i don't undesrtand what 's the problem?
ASA5510>
ASA5510> ena
Password: ***********************
ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password *********************** encrypted
passwd *********************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no na
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network Remote_Desktop
host 192.168.100.29
object network VNC
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_in extended permit tcp any host 192.168.100.29
access-list outside_in extended permit tcp any host 192.168.100.4
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network Remote_Desktop
nat (inside,outside) static interface service tcp 3389 3389
object network VNC
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password *********************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:667cb3ec729681c78ccab9a57abd89df
: end
ASA5510#

ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password ****************** encrypted
passwd ****************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network remote_desktop
host 192.168.100.2
object network remote_vnc
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_access_in extended permit tcp any host 192.168.100.4 eq 5900
access-list outside_access_in extended permit tcp any host 192.168.100.2 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asd
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network remote_desktop
nat (inside,outside) static interface service tcp 3389 3389
object network remote_vnc
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 172.16.17.1 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ****************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4f061a213185354518601f754e41494c
: end
ASA5510#
So i configured again, but i'm not to access to 5900 port

Open ports on new airport extreme to play online games

hey, i have the new airport extreme and i wanna play online games.
how do i open ports with the utily that came on disk.
i have no clue how to configure it.
i tried in bridge mode, but than the airport starts flashing amber and other users in house wanna surf on the net aswel.
kind regards

Airport Utility -> Manual setup (Cmd+L)
Internet -> NAT
Enable a default host
Then in Internet -> DHCP
permanently assign the default host IP to the machine you're going to play the games on.
This is what other routers call the "DMZ" address. Be sure to run a firewall on that machine!

Open ports problem ASA5505

Hi everyone.
I'm trying to open ports on a specific host but I can't make it work.
I tried to make it clear as possible,
Thanks for helping.
There is my config:
Result of the command: "show run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address MY-FIREWALL-IP 255.255.255.240
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-SITE-B
subnet 1.1.2.0 255.255.255.0
object network LAN-SITE-A
subnet 1.1.1.0 255.255.255.0
object network Firewall-SITE-B
host VPN-SITE-B-IP
object network SERVER01
host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)
object-group service ALL-IP tcp-udp
description ALL-IP
port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 1.1.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer SITE-B
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 1.1.1.100-1.1.1.125 inside
dhcpd dns 24.200.241.37 24.201.245.77 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_SITE-B internal
group-policy GroupPolicy_SITE-B attributes
vpn-tunnel-protocol ikev1 ikev2
username MY-USER password *** encrypted privilege 15
tunnel-group SITE-B type ipsec-l2l
tunnel-group SITE-B general-attributes
default-group-policy GroupPolicy_SITE-B
tunnel-group SITE-B ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e
: end

Hi Jouni,
Thanks for helping again,
Looks like i'm getting the same problem.
ciscoasa# show run access-list
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list OUTSIDE-IN extended permit ip any object SERVER01
ciscoasa#
ciscoasa# show run access-group
access-group OUTSIDE-IN in interface outside
ciscoasa#
ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SERVER01
nat (inside,outside) static MY-SERVER01-PUBLIC-IP
Additional Information:
NAT divert to egress interface inside
Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Opening Ports on Airport Express for GTA IV

I am told that to play Grand Theft Auto 4 (GTA 4) properly, I need to "open ports" on my router and enable UPnP (Universal Plug-n-Play).
The ports I am supposed to open are:
UDP
3478
3479
6672
28900
TCP
80
443
5223
3478
3479
3480
8001
8080
27900
On my Windows 2000 machine, using the AirPort Admin Utility, when I configure the AirPort, I get a window that has a "port mapping" tab.
Is this how I open the ports listed above? If so, it asks for a private IP address, Public Port, and Private port. How do all these relate to the port numbers above?
In the configure base station window, i can't find any mention of how to enable UPnP
Thanks!!!!!
PS, don't hate on me for having a PC, i'm just waiting until Apple comes out with a BluRay capable laptop...
Message was edited by: Psychos40

Hello Psychos40. Welcome to the Apple Discussions!
On my Windows 2000 machine, using the AirPort Admin Utility, when I configure the AirPort, I get a window that has a "port mapping" tab.
Is this how I open the ports listed above? If so, it asks for a private IP address, Public Port, and Private port. How do all these relate to the port numbers above?
Yes.
To setup Port Mapping:
Assign a manual IP to the host device
The "host" device is the computer that will be hosting GTA and needs to be accessed from the Internet. Under Windows 2000, you would use Network Settings to assign a static IP address to this computer. Note: Be sure to assign an IP address outside of the DHCP range provided by the AirPort Express Base Station (AX) default range of 10.0.1.2 - 10.0.1.200, like 10.0.1.201
To setup port mapping on an AirPort Express Base Station (AX), connect to the AX's wireless network, and then use the AirPort Admin Utility to change these settings:
Port Mapping tab
o Click "Add"
o Public Port: <enter the Port # which will be accessed from the Internet>
o Private Address: <enter the static IP address from above>
o Private Port: <either enter the same value as the Public port or the value you want your application/service to answer on>
o Click "Ok"
o Repeat the last series of steps for each port you wish to map.
In the configure base station window, i can't find any mention of how to enable UPnP
Unfortunately, that's because the AirPorts do not support UPnP. Instead, the AirPorts have a similar feature known as "NAT Port Mapping Protocol." You enable/disable this function on the Ethernet Port Security tab under Base Station Option within the AirPort Admin Utility. Note: Although NPmP is similar, it is not the same as UPnP and may not offer the same features. If GTA requires UPnP, the AirPort's NPmP feature may not support it.

[TMG 2010] Open port

Hello,
Sorry for my English, a little rusty
^ ^
I need to open TCP and UDP ports 46015
for a java application that connects
us to a room with video outside.
http://evo.caltech.edu/evoGate/Documentation/faq/firewall/firewall.html
I create protocols and make
the rule but it does not work!
the rule:
Web Conference -> Incoming TCP
(46015) outgoing TCP (46015)
UDP Send Receive (46015)
-> From: Internal to External
When I enabled it works after
2-3 minutes it does not work ...
When I check in the log:
[Engine][analyseNetwork] Default UDP port (46015): false, RTT = 0
[Engine][analyseNetwork] ... tested with xxx.xxx.xxx.xxx
[Engine][analyseNetwork] Default TCP port (46015): false
[Engine][analyseNetwork] Port 80 TCP: true
[Engine][analyseNetwork] Port 443 TCP: true
[Engine][analyseNetwork] Port 8080 TCP: false
[Engine][analyseNetwork] Port 8443 TCP: false
Thank youfor your help

Thank you
for your help
That is what happens
in the log:
Adresse IP du client Nom d'utilisateur du client Agent client Client authentifié Service Nom du serveur Serveur de référence Nom de l'hôte de destination Adresse IP de destination Protocole Transport Méthode HTTP URL Règle Informations sur les filtres Type MIME Source de l'objet Heure du journal Informations sur le cache Informations sur l'erreur Port de destination Port source Type d'enregistrement de journal Type de session Réseau source Réseau de destination Action Bidirectionnel Interface réseau En-tête IP brut Charge utile brute Temps de traitement Code du résultat Octets envoyés Octets reçus Adresse IP original du client Code d'état HTTP Heure GMT du journal Serveur d'authentification Résultat de l'analyse NIS Signature NIS Nom de la menace Action d'inspection de détection de programmes malveillants Résultat de l'inspection de détection de programmes malveillants Catégorie d'URL Mode de transmission des données ID de groupe UAG Version UAG ID de module UAG ID UAG Gravité UAG Type UAG Nom d'événement UAG ID de session UAG Nom de tronçon UAG Nom de service UAG Code d'erreur UAG Durée de l'inspection de détection de programmes malveillants (millisecondes) Niveau de menace Adresse NAT Champ du journal des informations sur le service interne Chemin de l'application cliente Hachage SHA1 de l'application cliente État d'approbation de l'application cliente Nom interne de l'application cliente Nom de produit de l'application cliente Version de produit de l'application cliente Version de fichier de l'application cliente Nom du fichier d'origine de l'application cliente FQDN du client Protocole d'application NIS Raison à la catégorisation des URL Version du client Forefront TMG Nom de l'hôte de destination de l'URL Règle remplacée
172.16.100.3 FOREFRONT - 131.215.116.151 UDP E UDP - - Web conférence(1) - - 13/02/2014 13:27:53 0x0 0x0 46015 54052 Pare-feu Interne Externe Connexion initiée 0 0x0 SUCCESS 0 0 172.16.100.3 13/02/2014 12:27:53 - - - - 0 - 0 - - - - - - 0 0 192.168.1.33 0 - -
172.16.100.3 FOREFRONT - 192.65.196.81 UDP E UDP - - Web conférence(1) - - 13/02/2014 13:27:53 0x0 0x0 46015 54053 Pare-feu Interne Externe Connexion initiée 0 0x0 SUCCESS 0 0 172.16.100.3 13/02/2014 12:27:53 - - - - 0 - 0 - - - - - - 0 0 192.168.1.33 0 - -
172.16.100.3 FOREFRONT - 192.65.196.79 TCP S TCP - - Web conférence(1) - - 13/02/2014 13:27:55 0x0 0x0 46015 61689 Pare-feu Interne Externe Connexion initiée 0 0x0 SUCCESS 0 0 172.16.100.3 13/02/2014 12:27:55 - - - - 0 - 0 - - - - - - 0 0 192.168.1.33 0 - -
172.16.100.3 FOREFRONT - 192.65.196.79 HTTPS TCP - - Autoriser l'accès Web pour tous les utilisateurs - - 13/02/2014 13:27:55 0x0 0x0 443 61692 Pare-feu Interne Externe Connexion initiée 0 0x0 SUCCESS 0 0 172.16.100.3 13/02/2014 12:27:55 - - - - 0 - 0 - - - - - - 0 0 192.168.1.33 0 - -

Open port 5000 through 5005

Hello Rogue Amoeba support tells me, in order to get the Airfoil Speakers software to function, I must open port 5000 through 5005 on my router (WRT54G). I have scoured the .pdf manual, perused the web support site as well as the present forums. Mostly, I don’t know what much of this stuff means so I may have inadvertently passed up what I need to know. Mainly, I don’t want to screw up the router function as it is working just dandy. For all I know, ports 5000 through 5005 are already open. If anyone can give me some guidance in plain English, I would certainly appreciate it. Thanks.

Log in to the router set-up page. To do this, open up a web browser ( Internet Explorer , Firefox etc) and type on the address bar your default gateway (if left alone, it is usually 192.168.1.1). Just leave it's username blank, password as a default is admin.
Go to the Applications and Gaming tab then go to the Port Triggering subtab. Start port is 5000 and end is 5005 for both Triggered and Forwarded range.

Open ports for all in LAN

Hi, a few days ago I bought a wireless router WRT160n. I want to ask how to open some port for all in LAN(3 clients). For example all in LAN have PeerToPeer application for torrents. I want to open port for example 20202 for all. Now I open port from menu Applications & Gaming->Single Port Forwarding, but I must set port for each user IP address.
Can somebody tell me how to open port for all in LAN without to config for each computer?
Thanks in advance.

Hi gv. I read more about UPnP and the WRT160n User Guide. In section Administration>managment int wrote that UPnP is Enabled by default in my router it is corect. I Setup mu PeerToPeer(eMule) TCP/UDP ports to 20202 and check option "Use UPnP to setup ports". I test and close this port on my router configuration for my computer on "Single Port Forwarding", but in eMule the port is still block. Can you explain why it did not work. For UPnP it says that if Enable it allow users with Windows ME and XP automatically to gonfigure Router ports
Thanks in advance!
Best Regards.

Open port issues with Direct Print functionality

Hi, I have been fighting with HP call support about the Photosmart 7525 printer.
Originally I setup and had performed all the functions to enable both web support and WIFI.
Within an hour the printer would not respond to wireless communication, though it had its wireless indecator showing it was connected.
I was told by HP support that the issue will be resolved in March, as there will be a firmware update to fix the issue.
Now that I had the printer install the new firmware I still get the issue.
Though I found through some sniffing, that there are a number of ports enabled and open that are over and beyond print requirements.
Funny thing I can send my printer into instant lockup with all lights flashing with a simple UDP ping sniff. I would think I can do this with other new HP printers using Eprint functions. I will find HP web based printers that are open for public printing and test my theory that HP Eprinters are open to hacking and denyal of service attempts. My Hp print app on andriod list three in my area, and one is at my local Walmart. This would be cool to find this, as I am usually not the first to point such matters out.
I assume some are for Apple devices to print.
Here is my sniffing report:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-21 07:57 Central Daylight TimeNSE: Loaded 110 scripts for scanning.NSE: Script Pre-scanning.Initiating ARP Ping Scan at 07:57Scanning 192.168.223.1 [1 port]Completed ARP Ping Scan at 07:57, 0.23s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 07:57Completed Parallel DNS resolution of 1 host. at 07:58, 16.50s elapsedInitiating SYN Stealth Scan at 07:58Scanning 192.168.223.1 [1000 ports]Discovered open port 445/tcp on 192.168.223.1Discovered open port 139/tcp on 192.168.223.1Discovered open port 80/tcp on 192.168.223.1Discovered open port 443/tcp on 192.168.223.1Discovered open port 8080/tcp on 192.168.223.1Discovered open port 9220/tcp on 192.168.223.1Discovered open port 6839/tcp on 192.168.223.1Discovered open port 631/tcp on 192.168.223.1Discovered open port 7435/tcp on 192.168.223.1Discovered open port 8089/tcp on 192.168.223.1Discovered open port 9100/tcp on 192.168.223.1Completed SYN Stealth Scan at 07:58, 1.71s elapsed (1000 total ports)Initiating UDP Scan at 07:58Scanning 192.168.223.1 [1000 ports]Discovered open port 5353/udp on 192.168.223.1Completed UDP Scan at 07:58, 1.82s elapsed (1000 total ports)Initiating Service scan at 07:58Scanning 20 services on 192.168.223.1Discovered open port 161/udp on 192.168.223.1Discovered open|filtered port 161/udp on 192.168.223.1 is actually open
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-21 07:51 Central Daylight TimeNmap scan report for 192.168.223.1Host is up (0.0025s latency).Not shown: 93 closed portsPORT     STATE SERVICE     VERSION80/tcp   open http        HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)139/tcp open tcpwrapped443/tcp open ssl/http    HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)445/tcp open netbios-ssn631/tcp open http        HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)8080/tcp open http        HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)9100/tcp open jetdirect?MAC Address: A03:C1:BD:C8:34 (Unknown)Device type: printer|general purposeRunning: HP embedded, Wind River VxWorksOS CPE: cpe:/h:hp:laserjet_cm1415fnw cpe:/h:hp:laserjet_cp1525nw cpe:/h:hp:laserjet_1536dnf cpe:/o:windriver:vxworksOS details: HP LaserJet CM1415fnw, CP1525nw, or 1536dnf printer, VxWorksNetwork Distance: 1 hopService Info: Device: printer; CPE: cpe:/h:hphotosmart_7520OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 34.11 seconds

OK now I am able to run a full scan on TCP ports without causing a lock up of the printer.
I found that having the printer connect to a router that has been setup to use channel 5, 6 or 7 will cause port scanning issues with the printer.
It is obvious that there are 18 ports that are seen as open, whether they are used or not. Two of which are active but have no service connected to them. Some are just dead like port 25, but over half are active enough to recieve data and lock network connectivity within the printer.
As the firmware states some other laser jets may be affected depending on how the configuration can be set.
I moved my routers channel to channel 1 as it is the only other option I have in a highly congested location. It is not as good as channel 6, but the printer seems to have channel 6 locked in for direct printing.
Here is the latest full scan with UDP enabled, it is the furthest and most complete scan I am able to complete, with UDP ports enabled. The TCP port scan has a bit more and I have placed a simple list below the information given here:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-21 13:27 Central Daylight Time
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 13:27
Scanning 192.168.1.211 [1 port]
Completed ARP Ping Scan at 13:27, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:27
Completed Parallel DNS resolution of 1 host. at 13:27, 0.03s elapsed
Initiating SYN Stealth Scan at 13:27
Scanning 192.168.1.211 [1000 ports]
Discovered open port 443/tcp on 192.168.1.211
Discovered open port 80/tcp on 192.168.1.211
Discovered open port 139/tcp on 192.168.1.211
Discovered open port 8080/tcp on 192.168.1.211
Discovered open port 445/tcp on 192.168.1.211
Discovered open port 631/tcp on 192.168.1.211
Discovered open port 9100/tcp on 192.168.1.211
Discovered open port 7435/tcp on 192.168.1.211
Discovered open port 9220/tcp on 192.168.1.211
Discovered open port 6839/tcp on 192.168.1.211
Completed SYN Stealth Scan at 13:27, 5.25s elapsed (1000 total ports)
Initiating UDP Scan at 13:27
Scanning 192.168.1.211 [1000 ports]
Discovered open port 137/udp on 192.168.1.211
Completed UDP Scan at 13:27, 4.46s elapsed (1000 total ports)
Initiating Service scan at 13:27
Scanning 16 services on 192.168.1.211
Discovered open port 161/udp on 192.168.1.211
Discovered open|filtered port 161/udp on 192.168.1.211 is actually open
Completed Service scan at 13:29, 82.51s elapsed (17 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.211
NSE: Script scanning 192.168.1.211.
Initiating NSE at 13:29
Completed NSE at 13:30, 82.29s elapsed
Nmap scan report for 192.168.1.211
Host is up (0.023s latency).
Not shown: 1983 closed ports
PORT     STATE         SERVICE      VERSION
80/tcp   open          http         HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
|_http-favicon: Unknown favicon MD5: 76C6E492CB8CC73A2A50D62176F205C9
| http-methods: GET POST PUT DELETE
| Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp open          tcpwrapped
443/tcp open          ssl/http     HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
|_http-favicon: Unknown favicon MD5: 76C6E492CB8CC73A2A50D62176F205C9
| http-methods: GET POST PUT DELETE
| Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=HPPS7525/organizationName=HP/stateOrProvinceName=Washington/countryName=US
| Issuer: commonName=HPPS7525/organizationName=HP/stateOrProvinceName=Washington/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2014-02-25T10:12:24+00:00
| Not valid after: 2034-02-20T10:12:24+00:00
| MD5:   9144 ca3b 557e 09cc aba0 8387 2732 2375
|_SHA-1: a6b2 95c0 b72a 7201 578c 32de 662a e6fe b082 48ca
|_ssl-date: 2014-03-21T13:30:09+00:00; -4h59m12s from local time.
445/tcp open          netbios-ssn
631/tcp open          http         HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
| http-methods: GET POST PUT DELETE
| Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
6839/tcp open          tcpwrapped
7435/tcp open          tcpwrapped
8080/tcp open          http         HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
|_http-favicon: Unknown favicon MD5: 76C6E492CB8CC73A2A50D62176F205C9
| http-methods: GET POST PUT DELETE
| Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
9100/tcp open          jetdirect?
9220/tcp open          hp-gsg       HP Generic Scan Gateway 1.0
137/udp open          netbios-ns   Samba nmbd (workgroup: HPPS7525)
138/udp open|filtered netbios-dgm
161/udp open          snmp         SNMPv1 server (public)
| snmp-hh3c-logins:
|_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
| snmp-interfaces:
|   Wifi0
|     IP address: 192.168.1.211 Netmask: 255.255.255.0
|     MAC address: a0:d3:c1:bd:c8:32 (Unknown)
|     Type: ethernetCsmacd Speed: 10 Mbps
|     Status: up
|_    Traffic stats: 6.16 Mb sent, 3.43 Mb received
| snmp-netstat:
|   TCP 0.0.0.0:7435         0.0.0.0:0
|   TCP 192.168.1.211:56076 15.201.145.52:5222
|   UDP 0.0.0.0:3702         *:*
|   UDP 127.0.0.1:666        *:*
|_ UDP 192.168.223.1:67     *:*
| snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT
|_ System uptime: 0 days, 3:34:23.28 (1286328 timeticks)
| snmp-win32-shares:
|_ baseoid: 1.3.6.1.4.1.77.1.2.27
1022/udp open|filtered exp2
1023/udp open|filtered unknown
3702/udp open|filtered ws-discovery
5355/udp open|filtered llmnr
MAC Address: A03:C1:BD:C8:32 (Unknown)
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
Uptime guess: 0.150 days (since Fri Mar 21 09:55:04 2014)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: Hosts: HPA0D3C1BDC832, HPPS7525; Device: printer; CPE: cpe:/h:hphotosmart_7520
Host script results:
| nbstat:
|   NetBIOS name: HPA0D3C1BDC832, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     HPA0D3C1BDC832<00>   Flags: <unique><active><permanent>
|     MSHOME<00>           Flags: <group><active><permanent>
|     HPA0D3C1BDC832<20>   Flags: <unique><active><permanent>
|     HPPS7525<00>         Flags: <unique><active><permanent>
|_    HPPS7525<20>         Flags: <unique><active><permanent>
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
TRACEROUTE
HOP RTT      ADDRESS
1   23.26 ms 192.168.1.211
NSE: Script Post-scanning.
Read data files from: F:\Progs\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 180.90 seconds
           Raw packets sent: 2030 (74.829KB) | Rcvd: 2921 (149.377KB)
+++++++++++++++++++++++++++++++++++++++++++++++++++++===
Full TCP port scan without UDP scanning of all ports, showing up as open... * designates open and active.
192.168.223.1Discovered open port 25/tcp on
*192.168.223.1Discovered open port 80/tcp on
*192.168.223.1Discovered open port 110/tcp on
*192.168.223.1Discovered open port 119/tcp on
*192.168.223.1Discovered open port 139/tcp on
192.168.223.1Discovered open port 143/tcp on
*192.168.223.1Discovered open port 443/tcp on
*192.168.223.1Discovered open port 445/tcp on
192.168.223.1Discovered open port 465/tcp on
192.168.223.1Discovered open port 563/tcp on
192.168.223.1Discovered open port 587/tcp on
*192.168.223.1Discovered open port 631/tcp on
192.168.223.1Discovered open port 993/tcp on
192.168.223.1Discovered open port 995/tcp on
*192.168.223.1Discovered open port 7435/tcp on
*192.168.223.1Discovered open port 6839/tcp on
*192.168.223.1Discovered open port 8080/tcp on
192.168.223.1Discovered open port 8089/tcp on
*192.168.223.1Discovered open port 9100/tcp on
*192.168.223.1Discovered open port 9220/tcp on

How do I open ports on my airport extreme and assign a fixed IP Address for a device connected to my network?

I recently had a security system installed in my house. One of the features is an EPAD which enables me to have a virtual keypad on my iphone, and computer to operate the alarm system. The technician was not familiar with Mac's and Airports. How do I open port 80 to 80 in my airport and assign a fixed IP address for the EPAD? Apparently this is what is needed to make this work.

There are three ranges of "strictly local" IP addresses reserved for local Network use:
192.168.xxx.yyy
172.16.xxx.yyy
10.xxx.yyy.zzz
What your Router does for you is to act as your agent on the Internet.Your requests are packaged up and forwarded on your behalf, and only when a response is expected is the response returned to your local IP address.
Directing Network Traffic to a Specific Computer on Your
Network (Port Mapping)
AirPort Extreme uses Network Address Translation (NAT) to share a single IP address with the computers that join the AirPort Extreme network. To provide Internet access to several computers with one IP address, NAT assigns private IP addresses to each computer on the AirPort Extreme network, and then matches these addresses with port numbers. The wireless device creates a port-to-private IP address table entry when a computer on your AirPort (private) network sends a request for information to the Internet.
If you’re using a web, AppleShare, or FTP server on your AirPort Extreme network, other computers initiate communication with your server. Because the Apple wireless device has no table entries for these requests, it has no way of directing the information to the appropriate computer on your AirPort network.
To ensure that requests are properly routed to your web, AppleShare, or FTP server, you need to establish a permanent IP address for your server and provide inbound port mapping information to your Apple wireless device.
To set up inbound port mapping:
1) Open AirPort Utility, select your wireless device, and then choose Base Station > Manual Setup, or double-click the device icon to open its configuration in a separate window. Enter the password if necessary.
2) Click the Advanced button, and then click Port Mapping.
3) Click the Add button and choose a service, such as Personal File Sharing, from the Service pop-up menu.

Static nat and service port groups

I need some help with opening ports on my ASA using firmware 9.1.2.
I read earlier today that I can create service groups and tie ports to those. But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ?
I have the ACL -
access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
Can this statement
object network obj-ExchangeSever-smtp
nat (inside,outside) static interface service tcp smtp smtp
reference the service port groups instead?
Thanks,
Andrew

Hi,
Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
Well you can for example configure this kind of "object-group"
object-group service SERVER-PORTS
service-object tcp destination eq www
service-object tcp destination eq ftp
service-object tcp destination eq https
service-object icmp echo
access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
Hope this helps
- Jouni

NAT default open ports

Similar Messages

Maybe you are looking for