I will say when I first say ZFW I thought the same thing. It took me a bit to put it all together, myself. This is the great thing about the list; is everyone has their strengths and weaknesses and we all get to assist each other.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, April 28, 2010 10:32 AM To: Tyson Scott Cc: Tolulope Ogunsina; [email protected] Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? Hi Tyson For both CBAC or ZBF, ip port-map should be used for matching portocols on non-standard ports. ip nbar port-map can't be used for ZBF. I was just telling, the technique that being used by "match protocol" of class-type inspect uses NBAR architecture to recongnize the traffic. That was my understanding till now :-) With regards Kings On Wed, Apr 28, 2010 at 7:07 PM, Tyson Scott <[email protected]> wrote: What is the command to map a non-standard port to a protocol in each instance? What is it for NBAR? What is it for inspection? The answer is right there. You just have to sum it up. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, April 28, 2010 9:26 AM To: Tolulope Ogunsina Cc: Tyson Scott; [email protected] Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? Hi Tolupe I agree totally with you and Tyson. Initially Cisco brought the MQC i.e., the C3PL structure for QoS which didn't have NBAR. After sometime NBAR was introduced for QoS MQC. NBAR is Network Based Application recognition that is used to classify traffic. PDLM can used, if you need more classifications. Then Cisco brought the ZBF that also used C3PL structure. Hence I thought this too uses the NBAR. NBAR is not a QoS functionality rather it is IOS's feature that is used for identifying traffic patterns May be I am wrong. I will check it out. I agree nbar-port doesn't work with ZBF. But then how do we ZBF inspect standard protocols on non-standard ports like http on port 1234. I thought port-map would solve this issue that was used for inspect based firewall. With regards Kings On Wed, Apr 28, 2010 at 6:19 PM, Tolulope Ogunsina <[email protected]> wrote: Hi Kings, No it doesn't. The match protocol command in the type inspect class-maps is quite different from the match protocol in the regular L3 class maps. The former only selects which protocol to activate inspection on (since its and inspection type class-map) and it has nothing to do with NBAR. The latter is used to protocol classification with NBAR. In summary, NBAR port map doesnt work with ZBF. On 4/28/10, Kingsley Charles <[email protected]> wrote: > Hi Tyson > > Please find the ZBF MQC below: Doesn't proctocol > classification/identfication use NBAR? > > router(config)#class-map type inspect fw > router(config-cmap)#match protocol ? > > > With regards > Kings > > On Wed, Apr 28, 2010 at 6:07 PM, Tyson Scott <[email protected]> wrote: > >> NBAR is not used by ZFW. >> >> >> >> NBAR uses the format "ip nbar port-map xxxx" >> >> >> >> When you map a protocol with ZFW how do you do it? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Wednesday, April 28, 2010 7:49 AM >> *To:* Tyson Scott >> *Cc:* Roger Cheeks; [email protected] >> >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard ports? >> >> >> >> Hi Tyson >> >> >> >> We use NBAR with ZBF MQC. Let's say, I configure a class type >> inspect with "match protocol http" and need to also match http traffic on >> 1234. For that we need to use port map right? >> >> >> >> >> >> With regards >> >> Kings >> >> >> >> >> >> >> >> On Wed, Apr 28, 2010 at 9:53 AM, Tyson Scott <[email protected]> wrote: >> >> Kinglsey, >> >> >> >> Not to be nitpicky but port-map is used for inspection policies, NBAR uses >> nbar port-mapping which is used by the MQC. Two separate features. >> >> >> >> Want to make sure everyone understands the difference. Not trying to beat >> a dead horse. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley Charles >> *Sent:* Wednesday, April 28, 2010 12:04 AM >> *To:* Roger Cheeks >> *Cc:* [email protected] >> >> >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard ports? >> >> >> >> port-map is used to add new ports for applications identification for NBAR >> and CBAC. It can't used to used as an additional port for the IOS services >> as such. >> >> >> >> For example, if you need to add port for telnet either you can use NAT or >> rotary (ports 3000, 5000) >> >> >> >> >> >> With regards >> >> KIng >> >> On Wed, Apr 28, 2010 at 3:09 AM, Roger Cheeks >> <[email protected]> >> wrote: >> >> Thanks all, >> >> I was only able to get telnet to work by NATing on the device upstream >> from >> the auth-proxy device so the auth-proxy router just saw the traffic as >> regular telnet. >> >> >> >> Great info! >> >> >> >> >> >> 2010/4/27 Mohamed Gazzaz <[email protected]> >> >> >> >> Hi Roger, >> >> I am not sure About Telnet but I was able to get Auth-Proxy to work on >> non-standard ports for HTTP and HTTPS >> >> Here is what I added in addition to the default Auth-Proxy configuration. >> >> ip port-map http port tcp 8088 >> ip port-map https port tcp 5796 >> >> ip http server >> ip http port 8088 >> ip http secure-server >> ip http secure-port 5796 >> >> After that, try http://(Server's <http://(server's/> ip address):8088 or >> https://(Server's <https://(server's/> ip address):5796 >> >> Regards, >> Mohamed Gazzaz >> ------------------------------ >> >> >> From: [email protected] >> To: [email protected] >> Date: Tue, 27 Apr 2010 16:50:25 -0400 >> CC: [email protected] >> >> >> Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard >> ports? >> >> The first option will work for HTTP. Not sure on telnet working with a >> separate port. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> *From:* Roger Cheeks [mailto:[email protected]] >> *Sent:* Tuesday, April 27, 2010 3:50 PM >> *To:* Tyson Scott >> *Cc:* OSL Security >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for >> non-standard ports? >> >> >> >> Just as an FYI - neither of those solutions worked. I'm going to read >> some >> to see if this is a supported feature. >> >> >> >> Thanks >> >> On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: >> >> Second option is to use a NAT statement to redirect 3023 to 23 on the >> router. But try the first thing. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Roger Cheeks >> *Sent:* Tuesday, April 27, 2010 1:58 PM >> *To:* OSL Security >> *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard >> ports? >> >> >> >> Has anyone ever gotten this to work for http or telnet? This is a little >> long, sorry for that. >> >> >> >> Topology >> >> SW1 <-> R3845 <-> R2600 >> >> >> >> Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from >> SW1 >> >> >> >> Switch info... >> >> SW3750(config)#siib | i 35 >> >> Vlan35 192.168.35.9 YES NVRAM up up >> >> >> >> >> Security Router configurations... >> >> hostname R3845 >> >> aaa new-model >> >> aaa authentication login no_aaa none >> >> aaa authentication login local_aaa local >> >> aaa authorization auth-proxy default local >> >> >> >> username aptest privilege 15 password 0 apworkplease >> >> >> >> ip port-map telnet port tcp 3023 >> >> ip inspect name watch_telnet telnet audit-trail on >> >> ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 >> >> >> >> interface GigabitEthernet0/0 >> >> ip address 192.168.35.254 255.255.255.0 >> >> ip inspect watch_telnet in >> >> ip auth-proxy SW1-Proxy >> >> ip virtual-reassembly >> >> >> >> interface GigabitEthernet0/1 >> >> ip address 77.77.77.254 255.255.255.0 >> >> ip virtual-reassembly >> >> >> >> access-list 102 permit tcp host 192.168.35.9 any eq telnet >> >> access-list 102 permit tcp host 192.168.35.9 any eq 3023 >> >> >> >> Target router... >> >> hostname R2600-H >> >> interface FastEthernet0/0 >> >> ip address 77.77.77.26 255.255.255.0 >> >> >> >> line vty 0 4 >> >> exec-timeout 60 0 >> >> password cisco >> >> login >> >> rotary 23 >> >> >> >> RESULTS for strait telnet: >> >> SW3750#telnet 77.77.77.26 >> >> Trying 77.77.77.26 ... Open >> >> >> >> Firewall authentication >> >> Username:aptest >> >> Password: >> >> Firewall authentication Success. >> >> Connection will be closed if remote server does not respond >> >> Connecting to remote server... >> >> >> >> >> >> User Access Verification >> >> >> >> Password: >> >> R2600> >> >> >> >> Debug from 3845: >> >> R3845(config)# >> >> *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 >> >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F >> >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F >> >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 >> >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 >> >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D >> >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A >> >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D >> >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A >> >> *Apr 27 18:00:37.065: AUTH-PROXY:turning off options >> >> *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side >> >> *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 >> >> *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 >> >> *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: >> initiator (192.168.35.9:31233 <http://192.168.35.9:31233/> ) -- responder (77.77.77.26:23 <http://77.77.77.26:23/> ) >> >> *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: >> initiator (192.168.35.9:31233 <http://192.168.35.9:31233/> ) sent 48 bytes -- responder (77.77.77.26:23 <http://77.77.77.26:23/> ) >> sent 74 bytes >> >> R3845(config)# >> >> >> >> RESULTS for telnet on 3023: >> >> R3845(config)#do clear ip auth-proxy cache * >> >> >> >> SW3750#telnet 77.77.77.26 3023 >> >> Trying 77.77.77.26, 3023 ... Open >> >> >> >> >> >> User Access Verification >> >> >> >> Password: >> >> R2600> >> >> >> >> Logs from 3845 verifying telnet inspection: >> >> R3845(config)# >> >> *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: >> initiator (192.168.35.9:57857 <http://192.168.35.9:57857/> ) -- responder (77.77.77.26:3023 <http://77.77.77.26:3023/> ) >> >> *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: >> initiator (192.168.35.9:57857 <http://192.168.35.9:57857/> ) sent 67 bytes -- responder ( >> 77.77.77.26:3023 <http://77.77.77.26:3023/> ) sent 86 bytes >> >> >> >> As shown telnet on 3023 bypasses auth-proxy entirely. >> >> >> >> Thanks for any input. >> >> >> >> >> >> >> >> >> ------------------------------ >> >> Hotmail: Trusted email with powerful SPAM protection. Sign up >> now.<https://signup.live.com/signup.aspx?id=60969> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> >> > -- Best Regards, Tolulope.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
