Hi Tyson We use NBAR with ZBF MQC. Let's say, I configure a class type inspect with "match protocol http" and need to also match http traffic on 1234. For that we need to use port map right?
With regards Kings On Wed, Apr 28, 2010 at 9:53 AM, Tyson Scott <[email protected]> wrote: > Kinglsey, > > > > Not to be nitpicky but port-map is used for inspection policies, NBAR uses > nbar port-mapping which is used by the MQC. Two separate features. > > > > Want to make sure everyone understands the difference. Not trying to beat > a dead horse. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, April 28, 2010 12:04 AM > *To:* Roger Cheeks > *Cc:* [email protected] > > *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > non-standard ports? > > > > port-map is used to add new ports for applications identification for NBAR > and CBAC. It can't used to used as an additional port for the IOS services > as such. > > > > For example, if you need to add port for telnet either you can use NAT or > rotary (ports 3000, 5000) > > > > > > With regards > > KIng > > On Wed, Apr 28, 2010 at 3:09 AM, Roger Cheeks <[email protected]> > wrote: > > Thanks all, > > I was only able to get telnet to work by NATing on the device upstream from > the auth-proxy device so the auth-proxy router just saw the traffic as > regular telnet. > > > > Great info! > > > > > > 2010/4/27 Mohamed Gazzaz <[email protected]> > > > > Hi Roger, > > I am not sure About Telnet but I was able to get Auth-Proxy to work on > non-standard ports for HTTP and HTTPS > > Here is what I added in addition to the default Auth-Proxy configuration. > > ip port-map http port tcp 8088 > ip port-map https port tcp 5796 > > ip http server > ip http port 8088 > ip http secure-server > ip http secure-port 5796 > > After that, try http://(Server's <http://(server's/> ip address):8088 or > https://(Server's <https://(server's/> ip address):5796 > > Regards, > Mohamed Gazzaz > ------------------------------ > > > From: [email protected] > To: [email protected] > Date: Tue, 27 Apr 2010 16:50:25 -0400 > CC: [email protected] > > > Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > ports? > > > The first option will work for HTTP. Not sure on telnet working with a > separate port. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Roger Cheeks [mailto:[email protected]] > *Sent:* Tuesday, April 27, 2010 3:50 PM > *To:* Tyson Scott > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > non-standard ports? > > > > Just as an FYI - neither of those solutions worked. I'm going to read some > to see if this is a supported feature. > > > > Thanks > > On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: > > Second option is to use a NAT statement to redirect 3023 to 23 on the > router. But try the first thing. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Roger Cheeks > *Sent:* Tuesday, April 27, 2010 1:58 PM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > ports? > > > > Has anyone ever gotten this to work for http or telnet? This is a little > long, sorry for that. > > > > Topology > > SW1 <-> R3845 <-> R2600 > > > > Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from > SW1 > > > > Switch info... > > SW3750(config)#siib | i 35 > > Vlan35 192.168.35.9 YES NVRAM up up > > > > > Security Router configurations... > > hostname R3845 > > aaa new-model > > aaa authentication login no_aaa none > > aaa authentication login local_aaa local > > aaa authorization auth-proxy default local > > > > username aptest privilege 15 password 0 apworkplease > > > > ip port-map telnet port tcp 3023 > > ip inspect name watch_telnet telnet audit-trail on > > ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 > > > > interface GigabitEthernet0/0 > > ip address 192.168.35.254 255.255.255.0 > > ip inspect watch_telnet in > > ip auth-proxy SW1-Proxy > > ip virtual-reassembly > > > > interface GigabitEthernet0/1 > > ip address 77.77.77.254 255.255.255.0 > > ip virtual-reassembly > > > > access-list 102 permit tcp host 192.168.35.9 any eq telnet > > access-list 102 permit tcp host 192.168.35.9 any eq 3023 > > > > Target router... > > hostname R2600-H > > interface FastEthernet0/0 > > ip address 77.77.77.26 255.255.255.0 > > > > line vty 0 4 > > exec-timeout 60 0 > > password cisco > > login > > rotary 23 > > > > RESULTS for strait telnet: > > SW3750#telnet 77.77.77.26 > > Trying 77.77.77.26 ... Open > > > > Firewall authentication > > Username:aptest > > Password: > > Firewall authentication Success. > > Connection will be closed if remote server does not respond > > Connecting to remote server... > > > > > > User Access Verification > > > > Password: > > R2600> > > > > Debug from 3845: > > R3845(config)# > > *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 > > *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 > > *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 > > *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 > > *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F > > *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F > > *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 > > *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 > > *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D > > *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A > > *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D > > *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A > > *Apr 27 18:00:37.065: AUTH-PROXY:turning off options > > *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side > > *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 > > *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 > > *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) > > *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) > sent 74 bytes > > R3845(config)# > > > > RESULTS for telnet on 3023: > > R3845(config)#do clear ip auth-proxy cache * > > > > SW3750#telnet 77.77.77.26 3023 > > Trying 77.77.77.26, 3023 ... Open > > > > > > User Access Verification > > > > Password: > > R2600> > > > > Logs from 3845 verifying telnet inspection: > > R3845(config)# > > *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) > > *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > initiator (192.168.35.9:57857) sent 67 bytes -- responder ( > 77.77.77.26:3023) sent 86 bytes > > > > As shown telnet on 3023 bypasses auth-proxy entirely. > > > > Thanks for any input. > > > > > > > > > ------------------------------ > > Hotmail: Trusted email with powerful SPAM protection. Sign up > now.<https://signup.live.com/signup.aspx?id=60969> > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
