Kings, Your statements below are correct.
> For both CBAC or ZBF, ip port-map should be used for matching portocols on > non-standard ports. > > ip nbar port-map can't be used for ZBF. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 28, 2010, at 7:31 AM, Kingsley Charles <[email protected]> wrote: > Hi Tyson > > For both CBAC or ZBF, ip port-map should be used for matching portocols on > non-standard ports. > > ip nbar port-map can't be used for ZBF. > > I was just telling, the technique that being used by "match protocol" of > class-type inspect uses NBAR architecture to recongnize the traffic. > > That was my understanding till now :-) > > > > > > With regards > Kings > > On Wed, Apr 28, 2010 at 7:07 PM, Tyson Scott <[email protected]> wrote: > What is the command to map a non-standard port to a protocol in each instance? > > > > What is it for NBAR? > > > > What is it for inspection? > > > > The answer is right there. You just have to sum it up. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > > > From: Kingsley Charles [mailto:[email protected]] > Sent: Wednesday, April 28, 2010 9:26 AM > To: Tolulope Ogunsina > Cc: Tyson Scott; [email protected] > > > Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > ports? > > > Hi Tolupe > > > > I agree totally with you and Tyson. > > > > Initially Cisco brought the MQC i.e., the C3PL structure for QoS which didn't > have NBAR. After sometime > > NBAR was introduced for QoS MQC. > > > > NBAR is Network Based Application recognition that is used to classify > traffic. PDLM can used, if you need more classifications. > > > > Then Cisco brought the ZBF that also used C3PL structure. Hence I thought > this too uses the NBAR. > > > > NBAR is not a QoS functionality rather it is IOS's feature that is used for > identifying traffic patterns > > > > > > May be I am wrong. I will check it out. > > > > I agree nbar-port doesn't work with ZBF. But then how do we ZBF inspect > standard protocols on non-standard ports like http on port 1234. I thought > port-map would solve this issue that was used for inspect > > based firewall. > > > > > > > > > > With regards > > Kings > > On Wed, Apr 28, 2010 at 6:19 PM, Tolulope Ogunsina <[email protected]> > wrote: > > Hi Kings, > No it doesn't. > The match protocol command in the type inspect class-maps is quite > different from the match protocol in the regular L3 class maps. > The former only selects which protocol to activate inspection on > (since its and inspection type class-map) and it has nothing to do > with NBAR. The latter is used to protocol classification with NBAR. > In summary, NBAR port map doesnt work with ZBF. > > > > > On 4/28/10, Kingsley Charles <[email protected]> wrote: > > Hi Tyson > > > > Please find the ZBF MQC below: Doesn't proctocol > > classification/identfication use NBAR? > > > > router(config)#class-map type inspect fw > > router(config-cmap)#match protocol ? > > > > > > With regards > > Kings > > > > On Wed, Apr 28, 2010 at 6:07 PM, Tyson Scott <[email protected]> wrote: > > > >> NBAR is not used by ZFW. > >> > >> > >> > >> NBAR uses the format "ip nbar port-map xxxx" > >> > >> > >> > >> When you map a protocol with ZFW how do you do it? > >> > >> > >> > >> Regards, > >> > >> > >> > >> Tyson Scott - CCIE #13513 R&S, Security, and SP > >> > >> Technical Instructor - IPexpert, Inc. > >> > >> Mailto: [email protected] > >> > >> Telephone: +1.810.326.1444, ext. 208 > >> > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> > >> eFax: +1.810.454.0130 > >> > >> > >> > >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with > >> training locations throughout the United States, Europe, South Asia and > >> Australia. Be sure to visit our online communities at > >> www.ipexpert.com/communities and our public website at www.ipexpert.com > >> > >> > >> > >> *From:* Kingsley Charles [mailto:[email protected]] > >> *Sent:* Wednesday, April 28, 2010 7:49 AM > >> *To:* Tyson Scott > >> *Cc:* Roger Cheeks; [email protected] > >> > >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > >> non-standard ports? > >> > >> > >> > >> Hi Tyson > >> > >> > >> > >> We use NBAR with ZBF MQC. Let's say, I configure a class type > >> inspect with "match protocol http" and need to also match http traffic on > >> 1234. For that we need to use port map right? > >> > >> > >> > >> > >> > >> With regards > >> > >> Kings > >> > >> > >> > >> > >> > >> > >> > >> On Wed, Apr 28, 2010 at 9:53 AM, Tyson Scott <[email protected]> wrote: > >> > >> Kinglsey, > >> > >> > >> > >> Not to be nitpicky but port-map is used for inspection policies, NBAR uses > >> nbar port-mapping which is used by the MQC. Two separate features. > >> > >> > >> > >> Want to make sure everyone understands the difference. Not trying to beat > >> a dead horse. > >> > >> > >> > >> Regards, > >> > >> > >> > >> Tyson Scott - CCIE #13513 R&S, Security, and SP > >> > >> Technical Instructor - IPexpert, Inc. > >> > >> Mailto: [email protected] > >> > >> Telephone: +1.810.326.1444, ext. 208 > >> > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> > >> eFax: +1.810.454.0130 > >> > >> > >> > >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with > >> training locations throughout the United States, Europe, South Asia and > >> Australia. Be sure to visit our online communities at > >> www.ipexpert.com/communities and our public website at www.ipexpert.com > >> > >> > >> > >> *From:* [email protected] [mailto: > >> [email protected]] *On Behalf Of *Kingsley Charles > >> *Sent:* Wednesday, April 28, 2010 12:04 AM > >> *To:* Roger Cheeks > >> *Cc:* [email protected] > >> > >> > >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > >> non-standard ports? > >> > >> > >> > >> port-map is used to add new ports for applications identification for NBAR > >> and CBAC. It can't used to used as an additional port for the IOS services > >> as such. > >> > >> > >> > >> For example, if you need to add port for telnet either you can use NAT or > >> rotary (ports 3000, 5000) > >> > >> > >> > >> > >> > >> With regards > >> > >> KIng > >> > >> On Wed, Apr 28, 2010 at 3:09 AM, Roger Cheeks > >> <[email protected]> > >> wrote: > >> > >> Thanks all, > >> > >> I was only able to get telnet to work by NATing on the device upstream > >> from > >> the auth-proxy device so the auth-proxy router just saw the traffic as > >> regular telnet. > >> > >> > >> > >> Great info! > >> > >> > >> > >> > >> > >> 2010/4/27 Mohamed Gazzaz <[email protected]> > >> > >> > >> > >> Hi Roger, > >> > >> I am not sure About Telnet but I was able to get Auth-Proxy to work on > >> non-standard ports for HTTP and HTTPS > >> > >> Here is what I added in addition to the default Auth-Proxy configuration. > >> > >> ip port-map http port tcp 8088 > >> ip port-map https port tcp 5796 > >> > >> ip http server > >> ip http port 8088 > >> ip http secure-server > >> ip http secure-port 5796 > >> > > >> After that, try http://(Server's <http://(server's/> ip address):8088 or > >> https://(Server's <https://(server's/> ip address):5796 > > >> > >> Regards, > >> Mohamed Gazzaz > >> ------------------------------ > >> > >> > >> From: [email protected] > >> To: [email protected] > >> Date: Tue, 27 Apr 2010 16:50:25 -0400 > >> CC: [email protected] > >> > >> > >> Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for > >> non-standard > >> ports? > >> > >> The first option will work for HTTP. Not sure on telnet working with a > >> separate port. > >> > >> > >> > >> Regards, > >> > >> > >> > >> Tyson Scott - CCIE #13513 R&S, Security, and SP > >> > >> Technical Instructor - IPexpert, Inc. > >> > >> Mailto: [email protected] > >> > >> Telephone: +1.810.326.1444, ext. 208 > >> > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> > >> eFax: +1.810.454.0130 > >> > >> > >> > >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with > >> training locations throughout the United States, Europe, South Asia and > >> Australia. Be sure to visit our online communities at > >> www.ipexpert.com/communities and our public website at www.ipexpert.com > >> > >> > >> > >> *From:* Roger Cheeks [mailto:[email protected]] > >> *Sent:* Tuesday, April 27, 2010 3:50 PM > >> *To:* Tyson Scott > >> *Cc:* OSL Security > >> *Subject:* Re: [OSL | CCIE_Security] can IOS auth-proxy work for > >> non-standard ports? > >> > >> > >> > >> Just as an FYI - neither of those solutions worked. I'm going to read > >> some > >> to see if this is a supported feature. > >> > >> > >> > >> Thanks > >> > >> On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: > >> > >> Second option is to use a NAT statement to redirect 3023 to 23 on the > >> router. But try the first thing. > >> > >> > >> > >> Regards, > >> > >> > >> > >> Tyson Scott - CCIE #13513 R&S, Security, and SP > >> > >> Technical Instructor - IPexpert, Inc. > >> > >> Mailto: [email protected] > >> > >> Telephone: +1.810.326.1444, ext. 208 > >> > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> > >> eFax: +1.810.454.0130 > >> > >> > >> > >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with > >> training locations throughout the United States, Europe, South Asia and > >> Australia. Be sure to visit our online communities at > >> www.ipexpert.com/communities and our public website at www.ipexpert.com > >> > >> > >> > >> *From:* [email protected] [mailto: > >> [email protected]] *On Behalf Of *Roger Cheeks > >> *Sent:* Tuesday, April 27, 2010 1:58 PM > >> *To:* OSL Security > >> *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > >> ports? > >> > >> > >> > >> Has anyone ever gotten this to work for http or telnet? This is a little > >> long, sorry for that. > >> > >> > >> > >> Topology > >> > >> SW1 <-> R3845 <-> R2600 > >> > >> > >> > >> Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from > >> SW1 > >> > >> > >> > >> Switch info... > >> > >> SW3750(config)#siib | i 35 > >> > >> Vlan35 192.168.35.9 YES NVRAM up up > >> > >> > >> > >> > >> Security Router configurations... > >> > >> hostname R3845 > >> > >> aaa new-model > >> > >> aaa authentication login no_aaa none > >> > >> aaa authentication login local_aaa local > >> > >> aaa authorization auth-proxy default local > >> > >> > >> > >> username aptest privilege 15 password 0 apworkplease > >> > >> > >> > >> ip port-map telnet port tcp 3023 > >> > >> ip inspect name watch_telnet telnet audit-trail on > >> > >> ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 > >> > >> > >> > >> interface GigabitEthernet0/0 > >> > >> ip address 192.168.35.254 255.255.255.0 > >> > >> ip inspect watch_telnet in > >> > >> ip auth-proxy SW1-Proxy > >> > >> ip virtual-reassembly > >> > >> > >> > >> interface GigabitEthernet0/1 > >> > >> ip address 77.77.77.254 255.255.255.0 > >> > >> ip virtual-reassembly > >> > >> > >> > >> access-list 102 permit tcp host 192.168.35.9 any eq telnet > >> > >> access-list 102 permit tcp host 192.168.35.9 any eq 3023 > >> > >> > >> > >> Target router... > >> > >> hostname R2600-H > >> > >> interface FastEthernet0/0 > >> > >> ip address 77.77.77.26 255.255.255.0 > >> > >> > >> > >> line vty 0 4 > >> > >> exec-timeout 60 0 > >> > >> password cisco > >> > >> login > >> > >> rotary 23 > >> > >> > >> > >> RESULTS for strait telnet: > >> > >> SW3750#telnet 77.77.77.26 > >> > >> Trying 77.77.77.26 ... Open > >> > >> > >> > >> Firewall authentication > >> > >> Username:aptest > >> > >> Password: > >> > >> Firewall authentication Success. > >> > >> Connection will be closed if remote server does not respond > >> > >> Connecting to remote server... > >> > >> > >> > >> > >> > >> User Access Verification > >> > >> > >> > >> Password: > >> > >> R2600> > >> > >> > >> > >> Debug from 3845: > >> > >> R3845(config)# > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 > >> > >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 > >> > >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 > >> > >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F > >> > >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F > >> > >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 > >> > >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 > >> > >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D > >> > >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A > >> > >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D > >> > >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A > >> > >> *Apr 27 18:00:37.065: AUTH-PROXY:turning off options > >> > >> *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side > >> > >> *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 > >> > >> *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 > >> > >> *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > >> initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) > >> > >> *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > >> initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) > >> sent 74 bytes > >> > >> R3845(config)# > >> > >> > >> > >> RESULTS for telnet on 3023: > >> > >> R3845(config)#do clear ip auth-proxy cache * > >> > >> > >> > >> SW3750#telnet 77.77.77.26 3023 > >> > >> Trying 77.77.77.26, 3023 ... Open > >> > >> > >> > >> > >> > >> User Access Verification > >> > >> > >> > >> Password: > >> > >> R2600> > >> > >> > >> > >> Logs from 3845 verifying telnet inspection: > >> > >> R3845(config)# > >> > >> *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > >> initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) > >> > >> *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > >> initiator (192.168.35.9:57857) sent 67 bytes -- responder ( > >> 77.77.77.26:3023) sent 86 bytes > >> > >> > >> > >> As shown telnet on 3023 bypasses auth-proxy entirely. > >> > >> > >> > >> Thanks for any input. > >> > >> > >> > >> > >> > >> > >> > >> > >> ------------------------------ > >> > >> Hotmail: Trusted email with powerful SPAM protection. Sign up > > >> now.<https://signup.live.com/signup.aspx?id=60969> > > >> > >> > >> > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, please > >> visit www.ipexpert.com > >> > >> > >> > >> > >> > > > > > -- > Best Regards, > > Tolulope. > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
