Configuring Application Port-Mapping with CBAC

September 8, 2008 at 1:15 pm | Posted in Security | Leave a comment

Configuration

ip access-list extended INSIDE
deny   ip any any

access-list 99 permit 10.0.0.0 0.0.0.255

ip port-map telnet port tcp 1023 list 99
ip port-map telnet port tcp 6023 list 99

ip inspect name INSPECT_TELNET telnet
!

interface Ethernet0/0
ip address 10.0.0.4 255.255.255.0
ip access-group INSIDE in

interface Serial0/0.1 point-to-point
ip inspect INSPECT_TELNET in
!
interface Serial0/1
ip inspect INSPECT_TELNET in

Verification

Before creating Port Map, the CBAC does allows telnet traffic to pass through, but the inspect session does not show up.  After the Port Map, we do see the sessions, similar as normal CBAC.

R5#telnet 150.1.4.4 1023
Trying 150.1.4.4, 1023 … Open

R4#sh ip inspect sessions
Established Sessions
Session 6555F098 (155.1.45.5:13547)=>(10.0.0.1:23) telnet SIS_OPEN

R5#telnet 150.1.4.4 6023
Trying 150.1.4.4, 6023 … Open

R4#sh ip inspect sessions
Established Sessions
Session 6555F098 (155.1.45.5:13547)=>(10.0.0.1:23) telnet SIS_OPEN
Session 6555EE18 (155.1.45.5:56852)=>(10.0.0.6:23) telnet SIS_OPEN


DOC CD Navigation

Side note

Remember the port-map command does not have NBAR keyword. The one with NBAR does not have ACL option, and is used for QoS purpose.

[QoS] ip nbar port-map

To configure network-based application recognition (NBAR) to search for a protocol or protocol name using a port number other than the well-known port, use the ip nbar port-map command in global configuration mode. To look for the protocol name using only the well-known port number, use the no form of this command.

ip nbar port-map protocol-name [tcp | udp] port-number


[Security] ip port-map 

To establish port-to-application mapping (PAM), use the ip port-map command in global configuration mode. To delete user-defined PAM entries, use the no form of this command.

ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list acl-num] [description description_string]
Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: