Inspecting Applications on Different Port Numbers
Problem
You want to use Application Layer inspection rules for an application running on a nonstandard port.
Solution
To enable Port to Application Mapping (PAM), use the ip port-map command:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip port-map http port tcp 8000
Router1(config)#end
Router1#
Discussion
When configuring CBAC-supported applications, is it sometimes useful to be able to map nonstandard ports to the applications themselves. For example, CBAC supports the inspection of HTTP packets; however, by default the router will assume that all HTTP servers use TCP port 80. In the next example, we've configured CBAC to inspect HTTP sessions:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect name HTTPACCESS http
Router1(config)#end
Router1#
What happens if someone decides to run their HTTP server on a nonstandard port such as 8000? The answer is that CBAC will not recognize the session as an HTTP session and will not inspect the session. By using Port-to-Application Mapping (PAM) you can map port 8000 to an HTTP application, and CBAC will then handle it accordingly.
In the Solutions section, we mapped port 8000 to application HTTP using PAM. If we show the PAM configuration afterwards we'll see that port 8000 is now mapped accordingly:
Router1#show ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined
Router1#
The problem with performing a generic port mapping like this one is that CBAC will now handle all traffic destined for TCP port 8000 as HTTP traffic. This might not be the most appropriate way to handle applications running on nonstandard ports. PAM also allows you to define the scope of the application mapping by the use of a simple ACL. By using an ACL to define scope, you can specifically define which servers are using which nonstandard ports.
In our next example, we configure PAM to use port 8080 for HTTP traffic, but only on server 10.1.2.14. This allows CBAC to inspect only packets destined for port 8080 on server 10.1.2.14 using its HTTP rules:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 22 permit host 10.1.2.14
Router1(config)#ip port-map http port 8080 list 22
Router1(config)#end
Router1#
So now when we view the PAM configuration, we see that ports 80 and 8000 are mapped to HTTP, as well as the host(s) in ACL 22 using port 8080:
Router1#show ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined
Host specific: http tcp port 8080 in list 22 user defined
Router1#
Table 27-4 shows some of the common CBAC supported protocols that are eligble to use with PAM.
| Application name | Well known port number | Description |
|---|---|---|
| cuseeme | 7648 | CU-SeeMe Protocol |
| exec | 512 | Remote Process execution |
| ftp | 21 | File Transfer Protocol |
| h323 | 1720 | H.323 Protocol |
| http | 80 | Hypertext Transfer Protocol |
| login | 513 | Remote Login |
| msrpc | 135 | Microsoft's Remote Procedure Call |
| netshow | 1755 | Microsoft's Netshow |
| real-audio-video | 7070 | RealAudio and RealVideo |
| sccp | 2000 | Skinny Client Control Protocol |
| smtp | 25 | Simple Mail Transfer Protocol |
| sql-net | 1521 | SQL-NET |
| streamworks | 1558 | Streamworks Protocol |
| sunrpc | 111 | Sun Remote Procedure Call |
| tftp | 69 | Trivial File Transfer Protocol |
| vdolive | 7000 | VDOLive Protocol |
For a complete and up-to-date list of applications supported by PAM, use the following command. Keep in mind that Cisco continually adds newly supported applications:
Router1(config)#ip port-map ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
WORD User defined application name. Use prefix 'user-'
ace-svr ACE Server/Propagation
aol America-Online
appleqtc Apple QuickTime
bgp Border Gateway Protocol
bliff Bliff mail notification
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
entrust-svc-handler Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
exec Remote Process Execution
fcip-port FCIP
finger Finger
ftp File Transfer Protocol
ftps FTP over TLS/SSL
gdoi GDOI
giop Oracle GIOP/SSL
gopher Gopher
gtpv0 GPRS Tunneling Protocol Version 0
gtpv1 GPRS Tunneling Protocol Version 1
h323 H.323 Protocol (e.g., MS NetMeeting, Inte
h323callsigalt h323 Call Signal Alternate
h323gatestat h323gatestat
hp-alarm-mgr HP Performance data alarm manager
hp-collector HP Performance data collector
hp-managed-node HP Performance data managed node
hsrp Hot Standby Router Protocol
http Hypertext Transfer Protocol
https Secure Hypertext Transfer Protocol
ica ica (Citrix)
icabrowser icabrowser (Citrix)
ident Authentication Service
igmpv3lite IGMP over UDP for SSM
imap Internet Message Access Protocol
imap3 Interactive Mail Access Protocol 3
imaps IMAP over TLS/SSL
ipass IPASS
ipsec-msft Microsoft IPsec NAT-T
ipx IPX
irc Internet Relay Chat Protocol
irc-serv IRC-SERV
ircs IRC over TLS/SSL
ircu IRCU
isakmp ISAKMP
iscsi iSCSI
iscsi-target iSCSI port
kazaa KAZAA
kerberos Kerberos
kermit kermit
l2tp L2TP/L2F
ldap Lightweight Directory Access Protocol
ldap-admin LDAP admin server port
ldaps LDAP over TLS/SSL
login Remote login
lotusmtap Lotus Mail Tracking Agent Protocol
lotusnote Lotus Note
mgcp Media Gateway Control Protocol
microsoft-ds Microsoft-DS
ms-cluster-net MS Cluster Net
ms-dotnetster Microsoft .NETster Port
ms-sna Microsoft SNA Server/Base
ms-sql Microsoft SQL
ms-sql-m Microsoft SQL Monitor
msexch-routing Microsoft Exchange Routing
msrpc Microsoft Remote Procedure Call
mysql MySQL
n2h2server N2H2 Filter Service Port
ncp-tcp NCP (Novell)
net8-cman Oracle Net8 Cman/Admin
netbios-dgm NETBIOS Datagram Service
netbios-ns NETBIOS Name Service
netbios-ssn NETBIOS Session Service
netshow Microsoft NetShow
netstat Variant of systat
nfs Network File System
nntp Network News Transport Protocol
ntp Network Time Protocol
oem-agent OEM Agent (Oracle)
oracle Oracle
oracle-em-vp Oracle EM/VP
oraclenames Oracle Names
orasrv Oracle SQL*Net v1/v2
pcanywheredata pcANYWHEREdata
pcanywherestat pcANYWHEREstat
pop3 Post Office Protocol - Version 3
pop3s POP3 over TLS/SSL
pptp PPTP
pwdgen Password Generator Protocol
qmtp-tcp Quick Mail Transfer Protocol
r-winsock remote-winsock
radius RADIUS & Accounting
rdb-dbs-disp Oracle RDB
realmedia RealNetwork's Realmedia Protocol
realsecure ISS Real Secure Console Service Port
router Local Routing Process
rsvd-tcp RSVD
rsvp-encap RSVP ENCAPSULATION-1/2
rsvp_tunnel RSVP Tunnel
rtc-pm-port Oracle RTC-PM port
rtelnet Remote Telnet Service
rtsp Real Time Streaming Protocol
send-tcp SEND
shell Remote command
sip Session Initiation Protocol
sip-tls SIP-TLS
skinny Skinny Client Control Protocol
sms SMS RCINFO/XFER/CHAT
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP Trap
socks Socks
sql-net SQL-NET
sqlserv SQL Services
sqlsrv SQL Service
ssh SSH Remote Login Protocol
sshell SSLshell
ssp State Sync Protocol
streamworks StreamWorks Protocol
stun cisco STUN
sunrpc SUN Remote Procedure Call
syslog SysLog Service
syslog-conn Reliable Syslog Service
tacacs Login Host Protocol (TACACS)
tacacs-ds TACACS-Database Service
tarantella Tarantella
telnet Telnet
telnets Telnet over TLS/SSL
tftp Trivial File Transfer Protocol
time Time
timed Time server
tr-rsrb cisco RSRB
ttc Oracle TTC/SSL
uucp UUCPD/UUCP-RLOGIN
vdolive VDOLive Protocol
vqp VQP
webster Network Disctionary
who Who's service
wins Microsoft WINS
x11 X Window System
xdmcp XDM Control Protocol
Router1(config)#