Transport layer protocols identify higher-layer traffic with 16-bit fields called port numbers. A connection between two devices uses a source port and a destination port, both contained in the protocol data unit. Figure A-3 shows the User Data Protocol (UDP) header format, with the source and destination port fields shaded. Figure A-4 shows the Transmission Control Protocol (TCP) header format, with the source and destination port fields shaded.
Usually, a port assignment uses a common port number for both UDP and TCP. A connection from a client to a server uses the well-known port on the server as a service contact port, while the client is free to dynamically assign its own port number. For TCP, the connection is identified by the source and destination IP addresses, as well as the source and destination TCP port numbers.
Cisco firewalls have keywords that can be used to specify certain IP ports in access lists. Table A-3 shows these keywords, along with the IP port numbers.
Table A-3. Cisco Firewall Keywords for IP Ports
Port | UDP-Applicable? | TCP-Applicable? | Firewall Keyword | UDP/TCP Protocol Description |
|---|
7 | Yes | Yes | echo | Echo |
9 | Yes | Yes | discard | Discard |
13 | No | Yes | daytime | Day time, RFC 867 |
19 | No | Yes | chargen | Character generator |
20 | No | Yes | ftp-data | File Transfer Protocol (FTP), data port |
21 | No | Yes | ftp | File Transfer Protocol (FTP), control port |
22 | No | Yes | ssh | Secure Shell (SSH) |
23 | No | Yes | telnet | Telnet, RFC 854 |
25 | No | Yes | smtp | Simple Mail Transport Protocol (SMTP) |
37 | Yes | No | time | Time protocol |
42 | Yes | No | nameserver | Host Name Server |
43 | No | Yes | whois | Who Is |
49 | Yes | Yes | tacacs | Terminal Access Controller Access Control System Plus (TACACS+) |
53 | Yes | Yes | domain | Domain Name System (DNS) |
67 | Yes | No | bootps | Bootstrap Protocol (BOOTP) server |
68 | Yes | No | bootpc | Bootstrap Protocol (BOOTP) client |
69 | Yes | No | tftp | Trivial File Transfer Protocol (TFTP) |
70 | No | Yes | gopher | Gopher |
79 | No | Yes | finger | Finger |
80 | No | Yes | www | Hypertext Transfer Protocol (HTTP) |
101 | No | Yes | hostname | Host name server |
109 | No | Yes | pop2 | Post Office Protocol (POP), version 2 |
110 | No | Yes | pop3 | Post Office Protocol (POP), version 3 |
111 | Yes | Yes | sunrpc (rpc) | Sun Remote Procedure Call (RPC) |
113 | No | Yes | ident | Ident authentication service |
119 | No | Yes | nntp | Network News Transfer Protocol (NNTP) |
123 | Yes | No | ntp | Network Time Protocol (NTP) |
137 | Yes | No | netbios-ns | NetBIOS Name Service |
138 | Yes | No | netbios-dgm | NetBIOS Datagram Service |
139 | No | Yes | netbios-ssn | NetBIOS Session Service |
143 | No | Yes | imap4 | Internet Message Access Protocol (IMAP), version 4 |
161 | Yes | No | snmp | Simple Network Management Protocol (SNMP) |
162 | Yes | No | snmptrap | Simple Network Management Protocol (SNMP) trap |
177 | Yes | No | xdmcp | X Display Manager Control Protocol (XDMCP) |
179 | No | Yes | bgp | Border Gateway Protocol (BGP) |
194 | No | Yes | irc | Internet Relay Chat (IRC) protocol |
195 | Yes | No | dnsix | DNSIX Session Management Module Audit Redirector |
389 | No | Yes | ldap | Lightweight Directory Access Protocol (LDAP) |
434 | Yes | No | mobile-ip | MobileIP-Agent |
443 | No | Yes | https | Hypertext Transfer Protocol over SSL/TLS |
496 | Yes | Yes | pim-auto-rp | Protocol-Independent Multicast (PIM) autodiscovery |
500 | Yes | No | isakmp | Internet Security Association and Key Management Protocol (ISAKMP; UDP only) |
512 | Yes | No | biff | New mail notification for UNIX-based mail systems |
512 | No | Yes | exec | Remote process execution |
513 | No | Yes | login | Remote login |
513 | Yes | No | who | Who |
514 | No | Yes | cmd | Remote process execution with automatic authentication |
514 | Yes | No | syslog | System log |
515 | No | Yes | lpd | Line Printer Daemon (LPD) |
517 | Yes | Yes | talk | Talk |
520 | Yes | No | rip | Routing Information Protocol (RIP) |
540 | No | Yes | uucp | UNIX-to-UNIX Copy Program (UUCP) |
543 | No | Yes | klogin | KLOGIN |
544 | No | Yes | kshell | Korn Shell |
636 | No | Yes | ldaps | Lightweight Directory Access Protocol (LDAP) over SSL/TLS |
750 | Yes | Yes | kerberos | Kerberos |
1352 | No | Yes | lotusnotes | IBM Lotus Notes |
1494 | No | Yes | citrix-ica | Citrix Independent Computing Architecture (ICA) |
1521 | No | Yes | sqlnet | Structured Query Language (SQL) Network |
1645 | Yes | No | radius | Remote Authentication Dial-In User Service (RADIUS) authentication; obsolete; moved to 1812 |
1646 | Yes | No | radius-acct | Remote Authentication Dial-In User Service (RADIUS) accounting; obsolete; moved to 1813 |
1720 | No | Yes | h323 | H.323 call signaling |
1723 | No | Yes | pptp | Point-to-Point Tunneling Protocol (PPTP) |
2748 | No | Yes | ctiqbe | Computer Telephony Interface Quick Buffer Encoding (CTIQBE) |
5190 | No | Yes | aol | America Online (AOL) |
5510 | Yes | No | secureid-udp | SecureID over UDP |
5631 | No | Yes | pcanywhere-data | pcAnywhere data |
5632 | Yes | No | pcanywhere-status | pcAnywhere status |
