NBAR is not used by ZFW.
NBAR uses the format "ip nbar port-map xxxx" When you map a protocol with ZFW how do you do it? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, April 28, 2010 7:49 AM To: Tyson Scott Cc: Roger Cheeks; [email protected] Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? Hi Tyson We use NBAR with ZBF MQC. Let's say, I configure a class type inspect with "match protocol http" and need to also match http traffic on 1234. For that we need to use port map right? With regards Kings On Wed, Apr 28, 2010 at 9:53 AM, Tyson Scott <[email protected]> wrote: Kinglsey, Not to be nitpicky but port-map is used for inspection policies, NBAR uses nbar port-mapping which is used by the MQC. Two separate features. Want to make sure everyone understands the difference. Not trying to beat a dead horse. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, April 28, 2010 12:04 AM To: Roger Cheeks Cc: [email protected] Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? port-map is used to add new ports for applications identification for NBAR and CBAC. It can't used to used as an additional port for the IOS services as such. For example, if you need to add port for telnet either you can use NAT or rotary (ports 3000, 5000) With regards KIng On Wed, Apr 28, 2010 at 3:09 AM, Roger Cheeks <[email protected]> wrote: Thanks all, I was only able to get telnet to work by NATing on the device upstream from the auth-proxy device so the auth-proxy router just saw the traffic as regular telnet. Great info! 2010/4/27 Mohamed Gazzaz <[email protected]> Hi Roger, I am not sure About Telnet but I was able to get Auth-Proxy to work on non-standard ports for HTTP and HTTPS Here is what I added in addition to the default Auth-Proxy configuration. ip port-map http port tcp 8088 ip port-map https port tcp 5796 ip http server ip http port 8088 ip http secure-server ip http secure-port 5796 After that, try http://(Server's <http://(server's/> ip address):8088 or https://(Server's <https://(server's/> ip address):5796 Regards, Mohamed Gazzaz _____ From: [email protected] To: [email protected] Date: Tue, 27 Apr 2010 16:50:25 -0400 CC: [email protected] Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? The first option will work for HTTP. Not sure on telnet working with a separate port. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Roger Cheeks [mailto:[email protected]] Sent: Tuesday, April 27, 2010 3:50 PM To: Tyson Scott Cc: OSL Security Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? Just as an FYI - neither of those solutions worked. I'm going to read some to see if this is a supported feature. Thanks On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: Second option is to use a NAT statement to redirect 3023 to 23 on the router. But try the first thing. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Roger Cheeks Sent: Tuesday, April 27, 2010 1:58 PM To: OSL Security Subject: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? Has anyone ever gotten this to work for http or telnet? This is a little long, sorry for that. Topology SW1 <-> R3845 <-> R2600 Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from SW1 Switch info... SW3750(config)#siib | i 35 Vlan35 192.168.35.9 YES NVRAM up up Security Router configurations... hostname R3845 aaa new-model aaa authentication login no_aaa none aaa authentication login local_aaa local aaa authorization auth-proxy default local username aptest privilege 15 password 0 apworkplease ip port-map telnet port tcp 3023 ip inspect name watch_telnet telnet audit-trail on ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 interface GigabitEthernet0/0 ip address 192.168.35.254 255.255.255.0 ip inspect watch_telnet in ip auth-proxy SW1-Proxy ip virtual-reassembly interface GigabitEthernet0/1 ip address 77.77.77.254 255.255.255.0 ip virtual-reassembly access-list 102 permit tcp host 192.168.35.9 any eq telnet access-list 102 permit tcp host 192.168.35.9 any eq 3023 Target router... hostname R2600-H interface FastEthernet0/0 ip address 77.77.77.26 255.255.255.0 line vty 0 4 exec-timeout 60 0 password cisco login rotary 23 RESULTS for strait telnet: SW3750#telnet 77.77.77.26 Trying 77.77.77.26 ... Open Firewall authentication Username:aptest Password: Firewall authentication Success. Connection will be closed if remote server does not respond Connecting to remote server... User Access Verification Password: R2600> Debug from 3845: R3845(config)# *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A *Apr 27 18:00:37.065: AUTH-PROXY:turning off options *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (192.168.35.9:31233 <http://192.168.35.9:31233/> ) -- responder (77.77.77.26:23 <http://77.77.77.26:23/> ) *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.35.9:31233 <http://192.168.35.9:31233/> ) sent 48 bytes -- responder (77.77.77.26:23 <http://77.77.77.26:23/> ) sent 74 bytes R3845(config)# RESULTS for telnet on 3023: R3845(config)#do clear ip auth-proxy cache * SW3750#telnet 77.77.77.26 3023 Trying 77.77.77.26, 3023 ... Open User Access Verification Password: R2600> Logs from 3845 verifying telnet inspection: R3845(config)# *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (192.168.35.9:57857 <http://192.168.35.9:57857/> ) -- responder (77.77.77.26:3023 <http://77.77.77.26:3023/> ) *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.35.9:57857 <http://192.168.35.9:57857/> ) sent 67 bytes -- responder (77.77.77.26:3023 <http://77.77.77.26:3023/> ) sent 86 bytes As shown telnet on 3023 bypasses auth-proxy entirely. Thanks for any input. _____ Hotmail: Trusted email with powerful SPAM protection. Sign up <https://signup.live.com/signup.aspx?id=60969> now. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
