Hi Tyson Please find the ZBF MQC below: Doesn't proctocol classification/identfication use NBAR?
router(config)#class-map type inspect fw router(config-cmap)#match protocol ? With regards Kings On Wed, Apr 28, 2010 at 6:07 PM, Tyson Scott <[email protected]> wrote: > NBAR is not used by ZFW. > > > > NBAR uses the format "ip nbar port-map xxxx" > > > > When you map a protocol with ZFW how do you do it? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, April 28, 2010 7:49 AM > *To:* Tyson Scott > *Cc:* Roger Cheeks; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > non-standard ports? > > > > Hi Tyson > > > > We use NBAR with ZBF MQC. Let's say, I configure a class type > inspect with "match protocol http" and need to also match http traffic on > 1234. For that we need to use port map right? > > > > > > With regards > > Kings > > > > > > > > On Wed, Apr 28, 2010 at 9:53 AM, Tyson Scott <[email protected]> wrote: > > Kinglsey, > > > > Not to be nitpicky but port-map is used for inspection policies, NBAR uses > nbar port-mapping which is used by the MQC. Two separate features. > > > > Want to make sure everyone understands the difference. Not trying to beat > a dead horse. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, April 28, 2010 12:04 AM > *To:* Roger Cheeks > *Cc:* [email protected] > > > *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > non-standard ports? > > > > port-map is used to add new ports for applications identification for NBAR > and CBAC. It can't used to used as an additional port for the IOS services > as such. > > > > For example, if you need to add port for telnet either you can use NAT or > rotary (ports 3000, 5000) > > > > > > With regards > > KIng > > On Wed, Apr 28, 2010 at 3:09 AM, Roger Cheeks <[email protected]> > wrote: > > Thanks all, > > I was only able to get telnet to work by NATing on the device upstream from > the auth-proxy device so the auth-proxy router just saw the traffic as > regular telnet. > > > > Great info! > > > > > > 2010/4/27 Mohamed Gazzaz <[email protected]> > > > > Hi Roger, > > I am not sure About Telnet but I was able to get Auth-Proxy to work on > non-standard ports for HTTP and HTTPS > > Here is what I added in addition to the default Auth-Proxy configuration. > > ip port-map http port tcp 8088 > ip port-map https port tcp 5796 > > ip http server > ip http port 8088 > ip http secure-server > ip http secure-port 5796 > > After that, try http://(Server's <http://(server's/> ip address):8088 or > https://(Server's <https://(server's/> ip address):5796 > > Regards, > Mohamed Gazzaz > ------------------------------ > > > From: [email protected] > To: [email protected] > Date: Tue, 27 Apr 2010 16:50:25 -0400 > CC: [email protected] > > > Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > ports? > > The first option will work for HTTP. Not sure on telnet working with a > separate port. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Roger Cheeks [mailto:[email protected]] > *Sent:* Tuesday, April 27, 2010 3:50 PM > *To:* Tyson Scott > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > non-standard ports? > > > > Just as an FYI - neither of those solutions worked. I'm going to read some > to see if this is a supported feature. > > > > Thanks > > On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: > > Second option is to use a NAT statement to redirect 3023 to 23 on the > router. But try the first thing. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Roger Cheeks > *Sent:* Tuesday, April 27, 2010 1:58 PM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > ports? > > > > Has anyone ever gotten this to work for http or telnet? This is a little > long, sorry for that. > > > > Topology > > SW1 <-> R3845 <-> R2600 > > > > Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from > SW1 > > > > Switch info... > > SW3750(config)#siib | i 35 > > Vlan35 192.168.35.9 YES NVRAM up up > > > > > Security Router configurations... > > hostname R3845 > > aaa new-model > > aaa authentication login no_aaa none > > aaa authentication login local_aaa local > > aaa authorization auth-proxy default local > > > > username aptest privilege 15 password 0 apworkplease > > > > ip port-map telnet port tcp 3023 > > ip inspect name watch_telnet telnet audit-trail on > > ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 > > > > interface GigabitEthernet0/0 > > ip address 192.168.35.254 255.255.255.0 > > ip inspect watch_telnet in > > ip auth-proxy SW1-Proxy > > ip virtual-reassembly > > > > interface GigabitEthernet0/1 > > ip address 77.77.77.254 255.255.255.0 > > ip virtual-reassembly > > > > access-list 102 permit tcp host 192.168.35.9 any eq telnet > > access-list 102 permit tcp host 192.168.35.9 any eq 3023 > > > > Target router... > > hostname R2600-H > > interface FastEthernet0/0 > > ip address 77.77.77.26 255.255.255.0 > > > > line vty 0 4 > > exec-timeout 60 0 > > password cisco > > login > > rotary 23 > > > > RESULTS for strait telnet: > > SW3750#telnet 77.77.77.26 > > Trying 77.77.77.26 ... Open > > > > Firewall authentication > > Username:aptest > > Password: > > Firewall authentication Success. > > Connection will be closed if remote server does not respond > > Connecting to remote server... > > > > > > User Access Verification > > > > Password: > > R2600> > > > > Debug from 3845: > > R3845(config)# > > *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 > > *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 > > *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 > > *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 > > *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F > > *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F > > *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 > > *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 > > *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D > > *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A > > *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D > > *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A > > *Apr 27 18:00:37.065: AUTH-PROXY:turning off options > > *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side > > *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 > > *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 > > *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) > > *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) > sent 74 bytes > > R3845(config)# > > > > RESULTS for telnet on 3023: > > R3845(config)#do clear ip auth-proxy cache * > > > > SW3750#telnet 77.77.77.26 3023 > > Trying 77.77.77.26, 3023 ... Open > > > > > > User Access Verification > > > > Password: > > R2600> > > > > Logs from 3845 verifying telnet inspection: > > R3845(config)# > > *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) > > *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > initiator (192.168.35.9:57857) sent 67 bytes -- responder ( > 77.77.77.26:3023) sent 86 bytes > > > > As shown telnet on 3023 bypasses auth-proxy entirely. > > > > Thanks for any input. > > > > > > > > > ------------------------------ > > Hotmail: Trusted email with powerful SPAM protection. Sign up > now.<https://signup.live.com/signup.aspx?id=60969> > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
