Cisco 877 - Stealth Port Scan

Discussion in 'Cisco' started by Peter Danes, Sep 27, 2007.

  1. Peter Danes

    Peter Danes Guest

    Hi,

    My router has had constant hacking attempts so I have spent all night
    trying to get all of my ports returning stealth when I run a port scan
    but I haven't had much luck.

    I have found a way to do it from the Internet but my port forwards no
    longer work.

    The configuration is as follows:

    ip inspect name Internet tcp router-traffic
    ip inspect name Internet udp router-traffic
    ip inspect name Internet icmp router-traffic

    access-list 102 permit ip any 192.168.0.0 0.0.0.255
    access-list 102 deny ip any any

    int dialer0
    ip access-group 102 in
    no ip unreachables
    ip nat outside
    ip inspect Internet out
    ip inspect Internet in
    ip virtual-reassembly

    For some reason, as soon as I apply access-group 102 to the dialer0
    interface, my port forwards cease to work but I am still able to open
    web pages etc.

    An example of a port forward would be the following:
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source static udp 192.168.0.2 9002 interface Dialer0 9002
    ip nat inside source static tcp 192.168.0.2 9002 interface Dialer0 9002

    If anyone can assist me it would be great!

    Thanks

    Peter
    Peter Danes, Sep 27, 2007
    #1
    1. Advertising

  2. In article <>,
    Peter Danes <> wrote:

    >access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >access-list 102 deny ip any any


    >int dialer0
    > ip access-group 102 in
    > no ip unreachables
    > ip nat outside
    > ip inspect Internet out
    > ip inspect Internet in
    > ip virtual-reassembly


    >For some reason, as soon as I apply access-group 102 to the dialer0
    >interface, my port forwards cease to work but I am still able to open
    >web pages etc.


    dialer0 is your outside interface, so the "in" access-group will be processed
    -before- NAT is applied. Thus it must have the public destinations.
    Walter Roberson, Sep 27, 2007
    #2
    1. Advertising

  3. Peter Danes

    thort

    Joined:
    Sep 26, 2007
    Messages:
    35
    Also on a security note anyone who has a internet IP will always be scaned/attacked regardless.

    Your inspect commands just tell the ios firewall to do automatic ACLs and to do content inspection, which elminitates some DOS and other attacks on the actual traffic allowed.

    Essentially 'ip inspect Internet in' on your external interface allows incoming traffic from the internet. !!!!!!

    You may find this article helpful:
    http://articles.techrepublic.com.com/5100-6350-1057051.html

    and very well explained for filtered(stealth)/closed results when doing a portscan:
    http://ioshints.blogspot.com/2007/06/closed-versus-filtered-ports.html
    Last edited: Sep 29, 2007
    thort, Sep 29, 2007
    #3
  4. Peter Danes

    Peter Danes Guest

    Walter Roberson wrote:
    > In article <>,
    > Peter Danes <> wrote:
    >
    >> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >> access-list 102 deny ip any any

    >
    >> int dialer0
    >> ip access-group 102 in
    >> no ip unreachables
    >> ip nat outside
    >> ip inspect Internet out
    >> ip inspect Internet in
    >> ip virtual-reassembly

    >
    >> For some reason, as soon as I apply access-group 102 to the dialer0
    >> interface, my port forwards cease to work but I am still able to open
    >> web pages etc.

    >
    > dialer0 is your outside interface, so the "in" access-group will be processed
    > -before- NAT is applied. Thus it must have the public destinations.


    Thanks for the reply Walter.

    Can you or some one elaborate on what I need to do exactly?
    Peter Danes, Oct 2, 2007
    #4
  5. Peter Danes

    Peter Danes Guest

    Peter Danes wrote:
    > Walter Roberson wrote:
    >> In article <>,
    >> Peter Danes <> wrote:
    >>
    >>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >>> access-list 102 deny ip any any

    >>
    >>> int dialer0
    >>> ip access-group 102 in
    >>> no ip unreachables
    >>> ip nat outside
    >>> ip inspect Internet out
    >>> ip inspect Internet in
    >>> ip virtual-reassembly

    >>
    >>> For some reason, as soon as I apply access-group 102 to the dialer0
    >>> interface, my port forwards cease to work but I am still able to open
    >>> web pages etc.

    >>
    >> dialer0 is your outside interface, so the "in" access-group will be
    >> processed
    >> -before- NAT is applied. Thus it must have the public destinations.

    >
    > Thanks for the reply Walter.
    >
    > Can you or some one elaborate on what I need to do exactly?


    Anyone...? =)
    Peter Danes, Oct 7, 2007
    #5
  6. Peter Danes

    Guest

    On 7 Oct, 15:17, Peter Danes <> wrote:
    > Peter Danes wrote:
    > > Walter Roberson wrote:
    > >> In article <>,
    > >> Peter Danes <> wrote:

    >
    > >>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    > >>> access-list 102 deny ip any any

    >
    > >>> int dialer0
    > >>> ip access-group 102 in
    > >>> no ip unreachables
    > >>> ip nat outside
    > >>> ip inspect Internet out
    > >>> ip inspect Internet in
    > >>> ip virtual-reassembly

    >
    > >>> For some reason, as soon as I apply access-group 102 to the dialer0
    > >>> interface, my port forwards cease to work but I am still able to open
    > >>> web pages etc.

    >
    > >> dialer0 is your outside interface, so the "in" access-group will be
    > >> processed
    > >> -before- NAT is applied. Thus it must have the public destinations.

    >
    > > Thanks for the reply Walter.

    >
    > > Can you or some one elaborate on what I need to do exactly?

    >
    > Anyone...? =)- Hide quoted text -


    You need to add to the ACL 102 permit statements
    to allow your inbound traffic in.

    You NEED to specify the address of dialer 0.
    If you have a dynamic address then this will
    be a limitation but unless you are getting hit
    from your ISP you will be able to work around it.


    Lets use a.b.c.d to represent your dialer 0
    IP address.

    This one does nothing useful to you
    access-list 102 permit ip any 192.168.0.0 0.0.0.255


    You do need:
    access-list 102 permit udp any host a.b.c.d eq 9002
    access-list 102 permit tcp any host a.b.c.d eq 9002
    access-list 102 deny ip any any


    If your IP address changes a lot you could do
    something like

    access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
    access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
    access-list 102 deny ip any any


    Choose the wildcard length to match your possible
    IP address range.
    , Oct 7, 2007
    #6
  7. Peter Danes

    Peter Danes Guest

    wrote:
    > On 7 Oct, 15:17, Peter Danes <> wrote:
    >> Peter Danes wrote:
    >>> Walter Roberson wrote:
    >>>> In article <>,
    >>>> Peter Danes <> wrote:
    >>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >>>>> access-list 102 deny ip any any
    >>>>> int dialer0
    >>>>> ip access-group 102 in
    >>>>> no ip unreachables
    >>>>> ip nat outside
    >>>>> ip inspect Internet out
    >>>>> ip inspect Internet in
    >>>>> ip virtual-reassembly
    >>>>> For some reason, as soon as I apply access-group 102 to the dialer0
    >>>>> interface, my port forwards cease to work but I am still able to open
    >>>>> web pages etc.
    >>>> dialer0 is your outside interface, so the "in" access-group will be
    >>>> processed
    >>>> -before- NAT is applied. Thus it must have the public destinations.
    >>> Thanks for the reply Walter.
    >>> Can you or some one elaborate on what I need to do exactly?

    >> Anyone...? =)- Hide quoted text -

    >
    > You need to add to the ACL 102 permit statements
    > to allow your inbound traffic in.
    >
    > You NEED to specify the address of dialer 0.
    > If you have a dynamic address then this will
    > be a limitation but unless you are getting hit
    > from your ISP you will be able to work around it.
    >
    >
    > Lets use a.b.c.d to represent your dialer 0
    > IP address.
    >
    > This one does nothing useful to you
    > access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >
    >
    > You do need:
    > access-list 102 permit udp any host a.b.c.d eq 9002
    > access-list 102 permit tcp any host a.b.c.d eq 9002
    > access-list 102 deny ip any any
    >
    >
    > If your IP address changes a lot you could do
    > something like
    >
    > access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
    > access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
    > access-list 102 deny ip any any
    >
    >
    > Choose the wildcard length to match your possible
    > IP address range.
    >


    The above worked like a charm so give yourself a pat on the back for a
    job well done.

    Thanks so much!
    Peter Danes, Oct 8, 2007
    #7
  8. Peter Danes

    Peter Danes Guest

    Peter Danes wrote:
    > wrote:
    >> On 7 Oct, 15:17, Peter Danes <> wrote:
    >>> Peter Danes wrote:
    >>>> Walter Roberson wrote:
    >>>>> In article <>,
    >>>>> Peter Danes <> wrote:
    >>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >>>>>> access-list 102 deny ip any any
    >>>>>> int dialer0
    >>>>>> ip access-group 102 in
    >>>>>> no ip unreachables
    >>>>>> ip nat outside
    >>>>>> ip inspect Internet out
    >>>>>> ip inspect Internet in
    >>>>>> ip virtual-reassembly
    >>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
    >>>>>> interface, my port forwards cease to work but I am still able to open
    >>>>>> web pages etc.
    >>>>> dialer0 is your outside interface, so the "in" access-group will be
    >>>>> processed
    >>>>> -before- NAT is applied. Thus it must have the public destinations.
    >>>> Thanks for the reply Walter.
    >>>> Can you or some one elaborate on what I need to do exactly?
    >>> Anyone...? =)- Hide quoted text -

    >>
    >> You need to add to the ACL 102 permit statements
    >> to allow your inbound traffic in.
    >>
    >> You NEED to specify the address of dialer 0.
    >> If you have a dynamic address then this will
    >> be a limitation but unless you are getting hit
    >> from your ISP you will be able to work around it.
    >>
    >>
    >> Lets use a.b.c.d to represent your dialer 0
    >> IP address.
    >>
    >> This one does nothing useful to you
    >> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >>
    >>
    >> You do need:
    >> access-list 102 permit udp any host a.b.c.d eq 9002
    >> access-list 102 permit tcp any host a.b.c.d eq 9002
    >> access-list 102 deny ip any any
    >>
    >>
    >> If your IP address changes a lot you could do
    >> something like
    >>
    >> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
    >> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
    >> access-list 102 deny ip any any
    >>
    >>
    >> Choose the wildcard length to match your possible
    >> IP address range.
    >>

    >
    > The above worked like a charm so give yourself a pat on the back for a
    > job well done.
    >
    > Thanks so much!


    Doh! I spoke too soon.

    My port forwards are still broken, the ports are stealth though.

    Here is an example of the my port forward if it will help at all.

    ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009
    ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009
    Peter Danes, Oct 8, 2007
    #8
  9. Peter Danes

    Peter Danes Guest

    Peter Danes wrote:
    > Peter Danes wrote:
    >> wrote:
    >>> On 7 Oct, 15:17, Peter Danes <> wrote:
    >>>> Peter Danes wrote:
    >>>>> Walter Roberson wrote:
    >>>>>> In article <>,
    >>>>>> Peter Danes <> wrote:
    >>>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >>>>>>> access-list 102 deny ip any any
    >>>>>>> int dialer0
    >>>>>>> ip access-group 102 in
    >>>>>>> no ip unreachables
    >>>>>>> ip nat outside
    >>>>>>> ip inspect Internet out
    >>>>>>> ip inspect Internet in
    >>>>>>> ip virtual-reassembly
    >>>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
    >>>>>>> interface, my port forwards cease to work but I am still able to
    >>>>>>> open
    >>>>>>> web pages etc.
    >>>>>> dialer0 is your outside interface, so the "in" access-group will be
    >>>>>> processed
    >>>>>> -before- NAT is applied. Thus it must have the public destinations.
    >>>>> Thanks for the reply Walter.
    >>>>> Can you or some one elaborate on what I need to do exactly?
    >>>> Anyone...? =)- Hide quoted text -
    >>>
    >>> You need to add to the ACL 102 permit statements
    >>> to allow your inbound traffic in.
    >>>
    >>> You NEED to specify the address of dialer 0.
    >>> If you have a dynamic address then this will
    >>> be a limitation but unless you are getting hit
    >>> from your ISP you will be able to work around it.
    >>>
    >>>
    >>> Lets use a.b.c.d to represent your dialer 0
    >>> IP address.
    >>>
    >>> This one does nothing useful to you
    >>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    >>>
    >>>
    >>> You do need:
    >>> access-list 102 permit udp any host a.b.c.d eq 9002
    >>> access-list 102 permit tcp any host a.b.c.d eq 9002
    >>> access-list 102 deny ip any any
    >>>
    >>>
    >>> If your IP address changes a lot you could do
    >>> something like
    >>>
    >>> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
    >>> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
    >>> access-list 102 deny ip any any
    >>>
    >>>
    >>> Choose the wildcard length to match your possible
    >>> IP address range.
    >>>

    >>
    >> The above worked like a charm so give yourself a pat on the back for a
    >> job well done.
    >>
    >> Thanks so much!

    >
    > Doh! I spoke too soon.
    >
    > My port forwards are still broken, the ports are stealth though.
    >
    > Here is an example of the my port forward if it will help at all.
    >
    > ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009
    > ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009


    I have it figured out now so sorry about the last post.

    For anyone interested, I had to create an ACL for every port forwarded. =)
    Peter Danes, Oct 8, 2007
    #9
  10. Peter Danes

    Guest

    On 8 Oct, 09:15, Peter Danes <> wrote:
    > Peter Danes wrote:
    > > Peter Danes wrote:
    > >> wrote:
    > >>> On 7 Oct, 15:17, Peter Danes <> wrote:
    > >>>> Peter Danes wrote:
    > >>>>> Walter Roberson wrote:
    > >>>>>> In article <>,
    > >>>>>> Peter Danes <> wrote:
    > >>>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
    > >>>>>>> access-list 102 deny ip any any
    > >>>>>>> int dialer0
    > >>>>>>> ip access-group 102 in
    > >>>>>>> no ip unreachables
    > >>>>>>> ip nat outside
    > >>>>>>> ip inspect Internet out
    > >>>>>>> ip inspect Internet in
    > >>>>>>> ip virtual-reassembly
    > >>>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
    > >>>>>>> interface, my port forwards cease to work but I am still able to
    > >>>>>>> open
    > >>>>>>> web pages etc.
    > >>>>>> dialer0 is your outside interface, so the "in" access-group will be
    > >>>>>> processed
    > >>>>>> -before- NAT is applied. Thus it must have the public destinations.
    > >>>>> Thanks for the reply Walter.
    > >>>>> Can you or some one elaborate on what I need to do exactly?
    > >>>> Anyone...? =)- Hide quoted text -

    >
    > >>> You need to add to the ACL 102 permit statements
    > >>> to allow your inbound traffic in.

    >
    > >>> You NEED to specify the address of dialer 0.
    > >>> If you have a dynamic address then this will
    > >>> be a limitation but unless you are getting hit
    > >>> from your ISP you will be able to work around it.

    >
    > >>> Lets use a.b.c.d to represent your dialer 0
    > >>> IP address.

    >
    > >>> This one does nothing useful to you
    > >>> access-list 102 permit ip any 192.168.0.0 0.0.0.255

    >
    > >>> You do need:
    > >>> access-list 102 permit udp any host a.b.c.d eq 9002
    > >>> access-list 102 permit tcp any host a.b.c.d eq 9002
    > >>> access-list 102 deny ip any any

    >
    > >>> If your IP address changes a lot you could do
    > >>> something like

    >
    > >>> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
    > >>> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
    > >>> access-list 102 deny ip any any

    >
    > >>> Choose the wildcard length to match your possible
    > >>> IP address range.

    >
    > >> The above worked like a charm so give yourself a pat on the back for a
    > >> job well done.

    >
    > >> Thanks so much!

    >
    > > Doh! I spoke too soon.

    >
    > > My port forwards are still broken, the ports are stealth though.

    >
    > > Here is an example of the my port forward if it will help at all.

    >
    > > ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009
    > > ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009

    >
    > I have it figured out now so sorry about the last post.
    >
    > For anyone interested, I had to create an ACL for every port forwarded. =)- Hide quoted text -


    That would be required.
    , Oct 9, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jack lift
    Replies:
    7
    Views:
    1,837
    Waterperson77
    Dec 9, 2003
  2. RadarG

    trying to stealth port 113

    RadarG, Dec 10, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    2,855
    RadarG
    Dec 10, 2003
  3. NewScanner
    Replies:
    9
    Views:
    937
    NewScanner
    Jan 16, 2007
  4. Simon Gronow

    Cisco 877 & Cisco 827 as backup

    Simon Gronow, Dec 17, 2006, in forum: Cisco
    Replies:
    2
    Views:
    519
    Simon Gronow
    Dec 18, 2006
  5. Peter Danes
    Replies:
    2
    Views:
    1,766
    java123
    Nov 6, 2007
Loading...

Share This Page