Hi Kings, No it doesn't. The match protocol command in the type inspect class-maps is quite different from the match protocol in the regular L3 class maps. The former only selects which protocol to activate inspection on (since its and inspection type class-map) and it has nothing to do with NBAR. The latter is used to protocol classification with NBAR. In summary, NBAR port map doesnt work with ZBF.
On 4/28/10, Kingsley Charles <[email protected]> wrote: > Hi Tyson > > Please find the ZBF MQC below: Doesn't proctocol > classification/identfication use NBAR? > > router(config)#class-map type inspect fw > router(config-cmap)#match protocol ? > > > With regards > Kings > > On Wed, Apr 28, 2010 at 6:07 PM, Tyson Scott <[email protected]> wrote: > >> NBAR is not used by ZFW. >> >> >> >> NBAR uses the format "ip nbar port-map xxxx" >> >> >> >> When you map a protocol with ZFW how do you do it? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Wednesday, April 28, 2010 7:49 AM >> *To:* Tyson Scott >> *Cc:* Roger Cheeks; [email protected] >> >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard ports? >> >> >> >> Hi Tyson >> >> >> >> We use NBAR with ZBF MQC. Let's say, I configure a class type >> inspect with "match protocol http" and need to also match http traffic on >> 1234. For that we need to use port map right? >> >> >> >> >> >> With regards >> >> Kings >> >> >> >> >> >> >> >> On Wed, Apr 28, 2010 at 9:53 AM, Tyson Scott <[email protected]> wrote: >> >> Kinglsey, >> >> >> >> Not to be nitpicky but port-map is used for inspection policies, NBAR uses >> nbar port-mapping which is used by the MQC. Two separate features. >> >> >> >> Want to make sure everyone understands the difference. Not trying to beat >> a dead horse. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley Charles >> *Sent:* Wednesday, April 28, 2010 12:04 AM >> *To:* Roger Cheeks >> *Cc:* [email protected] >> >> >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard ports? >> >> >> >> port-map is used to add new ports for applications identification for NBAR >> and CBAC. It can't used to used as an additional port for the IOS services >> as such. >> >> >> >> For example, if you need to add port for telnet either you can use NAT or >> rotary (ports 3000, 5000) >> >> >> >> >> >> With regards >> >> KIng >> >> On Wed, Apr 28, 2010 at 3:09 AM, Roger Cheeks >> <[email protected]> >> wrote: >> >> Thanks all, >> >> I was only able to get telnet to work by NATing on the device upstream >> from >> the auth-proxy device so the auth-proxy router just saw the traffic as >> regular telnet. >> >> >> >> Great info! >> >> >> >> >> >> 2010/4/27 Mohamed Gazzaz <[email protected]> >> >> >> >> Hi Roger, >> >> I am not sure About Telnet but I was able to get Auth-Proxy to work on >> non-standard ports for HTTP and HTTPS >> >> Here is what I added in addition to the default Auth-Proxy configuration. >> >> ip port-map http port tcp 8088 >> ip port-map https port tcp 5796 >> >> ip http server >> ip http port 8088 >> ip http secure-server >> ip http secure-port 5796 >> >> After that, try http://(Server's <http://(server's/> ip address):8088 or >> https://(Server's <https://(server's/> ip address):5796 >> >> Regards, >> Mohamed Gazzaz >> ------------------------------ >> >> >> From: [email protected] >> To: [email protected] >> Date: Tue, 27 Apr 2010 16:50:25 -0400 >> CC: [email protected] >> >> >> Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard >> ports? >> >> The first option will work for HTTP. Not sure on telnet working with a >> separate port. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Roger Cheeks [mailto:[email protected]] >> *Sent:* Tuesday, April 27, 2010 3:50 PM >> *To:* Tyson Scott >> *Cc:* OSL Security >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard ports? >> >> >> >> Just as an FYI - neither of those solutions worked. I'm going to read >> some >> to see if this is a supported feature. >> >> >> >> Thanks >> >> On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: >> >> Second option is to use a NAT statement to redirect 3023 to 23 on the >> router. But try the first thing. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Roger Cheeks >> *Sent:* Tuesday, April 27, 2010 1:58 PM >> *To:* OSL Security >> *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard >> ports? >> >> >> >> Has anyone ever gotten this to work for http or telnet? This is a little >> long, sorry for that. >> >> >> >> Topology >> >> SW1 <-> R3845 <-> R2600 >> >> >> >> Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from >> SW1 >> >> >> >> Switch info... >> >> SW3750(config)#siib | i 35 >> >> Vlan35 192.168.35.9 YES NVRAM up up >> >> >> >> >> Security Router configurations... >> >> hostname R3845 >> >> aaa new-model >> >> aaa authentication login no_aaa none >> >> aaa authentication login local_aaa local >> >> aaa authorization auth-proxy default local >> >> >> >> username aptest privilege 15 password 0 apworkplease >> >> >> >> ip port-map telnet port tcp 3023 >> >> ip inspect name watch_telnet telnet audit-trail on >> >> ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 >> >> >> >> interface GigabitEthernet0/0 >> >> ip address 192.168.35.254 255.255.255.0 >> >> ip inspect watch_telnet in >> >> ip auth-proxy SW1-Proxy >> >> ip virtual-reassembly >> >> >> >> interface GigabitEthernet0/1 >> >> ip address 77.77.77.254 255.255.255.0 >> >> ip virtual-reassembly >> >> >> >> access-list 102 permit tcp host 192.168.35.9 any eq telnet >> >> access-list 102 permit tcp host 192.168.35.9 any eq 3023 >> >> >> >> Target router... >> >> hostname R2600-H >> >> interface FastEthernet0/0 >> >> ip address 77.77.77.26 255.255.255.0 >> >> >> >> line vty 0 4 >> >> exec-timeout 60 0 >> >> password cisco >> >> login >> >> rotary 23 >> >> >> >> RESULTS for strait telnet: >> >> SW3750#telnet 77.77.77.26 >> >> Trying 77.77.77.26 ... Open >> >> >> >> Firewall authentication >> >> Username:aptest >> >> Password: >> >> Firewall authentication Success. >> >> Connection will be closed if remote server does not respond >> >> Connecting to remote server... >> >> >> >> >> >> User Access Verification >> >> >> >> Password: >> >> R2600> >> >> >> >> Debug from 3845: >> >> R3845(config)# >> >> *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 >> >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F >> >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F >> >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 >> >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 >> >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D >> >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A >> >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D >> >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A >> >> *Apr 27 18:00:37.065: AUTH-PROXY:turning off options >> >> *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side >> >> *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 >> >> *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 >> >> *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: >> initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) >> >> *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: >> initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) >> sent 74 bytes >> >> R3845(config)# >> >> >> >> RESULTS for telnet on 3023: >> >> R3845(config)#do clear ip auth-proxy cache * >> >> >> >> SW3750#telnet 77.77.77.26 3023 >> >> Trying 77.77.77.26, 3023 ... Open >> >> >> >> >> >> User Access Verification >> >> >> >> Password: >> >> R2600> >> >> >> >> Logs from 3845 verifying telnet inspection: >> >> R3845(config)# >> >> *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: >> initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) >> >> *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: >> initiator (192.168.35.9:57857) sent 67 bytes -- responder ( >> 77.77.77.26:3023) sent 86 bytes >> >> >> >> As shown telnet on 3023 bypasses auth-proxy entirely. >> >> >> >> Thanks for any input. >> >> >> >> >> >> >> >> >> ------------------------------ >> >> Hotmail: Trusted email with powerful SPAM protection. Sign up >> now.<https://signup.live.com/signup.aspx?id=60969> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> > -- Best Regards, Tolulope. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
