Inspecting Applications on Different Port Numbers

Problem

You want to use Application Layer inspection rules for an application running on a nonstandard port.

Solution

To enable Port to Application Mapping (PAM), use the ip port-map command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip port-map http port tcp 8000
Router1(config)#end  
Router1#

 

Discussion

When configuring CBAC-supported applications, is it sometimes useful to be able to map nonstandard ports to the applications themselves. For example, CBAC supports the inspection of HTTP packets; however, by default the router will assume that all HTTP servers use TCP port 80. In the next example, we've configured CBAC to inspect HTTP sessions:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect name HTTPACCESS http 
Router1(config)#end  
Router1#

What happens if someone decides to run their HTTP server on a nonstandard port such as 8000? The answer is that CBAC will not recognize the session as an HTTP session and will not inspect the session. By using Port-to-Application Mapping (PAM) you can map port 8000 to an HTTP application, and CBAC will then handle it accordingly.

In the Solutions section, we mapped port 8000 to application HTTP using PAM. If we show the PAM configuration afterwards we'll see that port 8000 is now mapped accordingly:

Router1#show ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined

Router1#

The problem with performing a generic port mapping like this one is that CBAC will now handle all traffic destined for TCP port 8000 as HTTP traffic. This might not be the most appropriate way to handle applications running on nonstandard ports. PAM also allows you to define the scope of the application mapping by the use of a simple ACL. By using an ACL to define scope, you can specifically define which servers are using which nonstandard ports.

In our next example, we configure PAM to use port 8080 for HTTP traffic, but only on server 10.1.2.14. This allows CBAC to inspect only packets destined for port 8080 on server 10.1.2.14 using its HTTP rules:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 22 permit host 10.1.2.14
Router1(config)#ip port-map http port 8080 list 22 
Router1(config)#end  
Router1#

So now when we view the PAM configuration, we see that ports 80 and 8000 are mapped to HTTP, as well as the host(s) in ACL 22 using port 8080:

Router1#show ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined
Host specific: http tcp port 8080 in list 22 user defined

Router1#

Table 27-4 shows some of the common CBAC supported protocols that are eligble to use with PAM.

Table 27-4. Cisco-defined port mapping

Application name Well known port number Description
cuseeme 7648 CU-SeeMe Protocol
exec 512 Remote Process execution
ftp 21 File Transfer Protocol
h323 1720 H.323 Protocol
http 80 Hypertext Transfer Protocol
login 513 Remote Login
msrpc 135 Microsoft's Remote Procedure Call
netshow 1755 Microsoft's Netshow
real-audio-video 7070 RealAudio and RealVideo
sccp 2000 Skinny Client Control Protocol
smtp 25 Simple Mail Transfer Protocol
sql-net 1521 SQL-NET
streamworks 1558 Streamworks Protocol
sunrpc 111 Sun Remote Procedure Call
tftp 69 Trivial File Transfer Protocol
vdolive 7000 VDOLive Protocol

For a complete and up-to-date list of applications supported by PAM, use the following command. Keep in mind that Cisco continually adds newly supported applications:

Router1(config)#ip port-map ?
 802-11-iapp IEEE 802.11 WLANs WG IAPP
 WORD User defined application name. Use prefix 'user-'
 ace-svr ACE Server/Propagation
 aol America-Online
 appleqtc Apple QuickTime
 bgp Border Gateway Protocol
 bliff Bliff mail notification
 bootpc Bootstrap Protocol Client
 bootps Bootstrap Protocol Server
 cddbp CD Database Protocol
 cifs CIFS
 cisco-fna Cisco FNATIVE
 cisco-net-mgmt cisco-net-mgmt
 cisco-svcs cisco license/perf/GDP/X.25/ident svcs
 cisco-sys Cisco SYSMAINT
 cisco-tdp Cisco TDP
 cisco-tna Cisco TNATIVE
 citrix Citrix IMA/ADMIN/RTMP
 citriximaclient Citrix IMA Client
 clp Cisco Line Protocol
 creativepartnr Creative Partnr
 creativeserver Creative Server
 cuseeme CUSeeMe Protocol
 daytime Daytime (RFC 867)
 dbase dBASE Unix
 dbcontrol_agent Oracle dbControl Agent po
 ddns-v3 Dynamic DNS Version 3
 dhcp-failover DHCP Failover
 discard Discard port
 dns Domain Name Server
 dnsix DNSIX Securit Attribute Token Map
 echo Echo port
 entrust-svc-handler Entrust KM/Admin Service Handler
 entrust-svcs Entrust sps/aaas/aams
 exec Remote Process Execution
 fcip-port FCIP
 finger Finger
 ftp File Transfer Protocol
 ftps FTP over TLS/SSL
 gdoi GDOI
 giop Oracle GIOP/SSL
 gopher Gopher
 gtpv0 GPRS Tunneling Protocol Version 0
 gtpv1 GPRS Tunneling Protocol Version 1
 h323 H.323 Protocol (e.g., MS NetMeeting, Inte
 h323callsigalt h323 Call Signal Alternate
 h323gatestat h323gatestat
 hp-alarm-mgr HP Performance data alarm manager
 hp-collector HP Performance data collector
 hp-managed-node HP Performance data managed node
 hsrp Hot Standby Router Protocol
 http Hypertext Transfer Protocol
 https Secure Hypertext Transfer Protocol
 ica ica (Citrix)
 icabrowser icabrowser (Citrix)
 ident Authentication Service
 igmpv3lite IGMP over UDP for SSM
 imap Internet Message Access Protocol
 imap3 Interactive Mail Access Protocol 3
 imaps IMAP over TLS/SSL
 ipass IPASS
 ipsec-msft Microsoft IPsec NAT-T
 ipx IPX
 irc Internet Relay Chat Protocol
 irc-serv IRC-SERV
 ircs IRC over TLS/SSL
 ircu IRCU
 isakmp ISAKMP
 iscsi iSCSI
 iscsi-target iSCSI port
 kazaa KAZAA
 kerberos Kerberos
 kermit kermit
 l2tp L2TP/L2F
 ldap Lightweight Directory Access Protocol
 ldap-admin LDAP admin server port
 ldaps LDAP over TLS/SSL
 login Remote login
 lotusmtap Lotus Mail Tracking Agent Protocol
 lotusnote Lotus Note
 mgcp Media Gateway Control Protocol
 microsoft-ds Microsoft-DS
 ms-cluster-net MS Cluster Net
 ms-dotnetster Microsoft .NETster Port
 ms-sna Microsoft SNA Server/Base
 ms-sql Microsoft SQL
 ms-sql-m Microsoft SQL Monitor
 msexch-routing Microsoft Exchange Routing
 msrpc Microsoft Remote Procedure Call
 mysql MySQL
 n2h2server N2H2 Filter Service Port
 ncp-tcp NCP (Novell)
 net8-cman Oracle Net8 Cman/Admin
 netbios-dgm NETBIOS Datagram Service
 netbios-ns NETBIOS Name Service
 netbios-ssn NETBIOS Session Service
 netshow Microsoft NetShow
 netstat Variant of systat
 nfs Network File System
 nntp Network News Transport Protocol
 ntp Network Time Protocol
 oem-agent OEM Agent (Oracle)
 oracle Oracle
 oracle-em-vp Oracle EM/VP
 oraclenames Oracle Names
 orasrv Oracle SQL*Net v1/v2
 pcanywheredata pcANYWHEREdata
 pcanywherestat pcANYWHEREstat
 pop3 Post Office Protocol - Version 3
 pop3s POP3 over TLS/SSL
 pptp PPTP
 pwdgen Password Generator Protocol
 qmtp-tcp Quick Mail Transfer Protocol
 r-winsock remote-winsock
 radius RADIUS & Accounting
 rdb-dbs-disp Oracle RDB
 realmedia RealNetwork's Realmedia Protocol
 realsecure ISS Real Secure Console Service Port
 router Local Routing Process
 rsvd-tcp RSVD
 rsvp-encap RSVP ENCAPSULATION-1/2
 rsvp_tunnel RSVP Tunnel
 rtc-pm-port Oracle RTC-PM port
 rtelnet Remote Telnet Service
 rtsp Real Time Streaming Protocol
 send-tcp SEND
 shell Remote command
 sip Session Initiation Protocol
 sip-tls SIP-TLS
 skinny Skinny Client Control Protocol
 sms SMS RCINFO/XFER/CHAT
 smtp Simple Mail Transfer Protocol
 snmp Simple Network Management Protocol
 snmptrap SNMP Trap
 socks Socks
 sql-net SQL-NET
 sqlserv SQL Services
 sqlsrv SQL Service
 ssh SSH Remote Login Protocol
 sshell SSLshell
 ssp State Sync Protocol
 streamworks StreamWorks Protocol
 stun cisco STUN
 sunrpc SUN Remote Procedure Call
 syslog SysLog Service
 syslog-conn Reliable Syslog Service
 tacacs Login Host Protocol (TACACS)
 tacacs-ds TACACS-Database Service
 tarantella Tarantella
 telnet Telnet
 telnets Telnet over TLS/SSL
 tftp Trivial File Transfer Protocol
 time Time
 timed Time server
 tr-rsrb cisco RSRB
 ttc Oracle TTC/SSL
 uucp UUCPD/UUCP-RLOGIN
 vdolive VDOLive Protocol
 vqp VQP
 webster Network Disctionary
 who Who's service
 wins Microsoft WINS
 x11 X Window System
 xdmcp XDM Control Protocol

Router1(config)#

 

See Also

Recipe 27.2





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net