Inspecting Applications on Different Port Numbers
Problem
You want to use Application Layer inspection rules for an application running on a nonstandard port.
Solution
To enable Port to Application Mapping (PAM), use the ip port-map command:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip port-map http port tcp 8000 Router1(config)#end Router1#
Discussion
When configuring CBAC-supported applications, is it sometimes useful to be able to map nonstandard ports to the applications themselves. For example, CBAC supports the inspection of HTTP packets; however, by default the router will assume that all HTTP servers use TCP port 80. In the next example, we've configured CBAC to inspect HTTP sessions:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip inspect name HTTPACCESS http Router1(config)#end Router1#
What happens if someone decides to run their HTTP server on a nonstandard port such as 8000? The answer is that CBAC will not recognize the session as an HTTP session and will not inspect the session. By using Port-to-Application Mapping (PAM) you can map port 8000 to an HTTP application, and CBAC will then handle it accordingly.
In the Solutions section, we mapped port 8000 to application HTTP using PAM. If we show the PAM configuration afterwards we'll see that port 8000 is now mapped accordingly:
Router1#show ip port-map http Default mapping: http tcp port 80 system defined Default mapping: http tcp port 8000 user defined Router1#
The problem with performing a generic port mapping like this one is that CBAC will now handle all traffic destined for TCP port 8000 as HTTP traffic. This might not be the most appropriate way to handle applications running on nonstandard ports. PAM also allows you to define the scope of the application mapping by the use of a simple ACL. By using an ACL to define scope, you can specifically define which servers are using which nonstandard ports.
In our next example, we configure PAM to use port 8080 for HTTP traffic, but only on server 10.1.2.14. This allows CBAC to inspect only packets destined for port 8080 on server 10.1.2.14 using its HTTP rules:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 22 permit host 10.1.2.14 Router1(config)#ip port-map http port 8080 list 22 Router1(config)#end Router1#
So now when we view the PAM configuration, we see that ports 80 and 8000 are mapped to HTTP, as well as the host(s) in ACL 22 using port 8080:
Router1#show ip port-map http Default mapping: http tcp port 80 system defined Default mapping: http tcp port 8000 user defined Host specific: http tcp port 8080 in list 22 user defined Router1#
Table 27-4 shows some of the common CBAC supported protocols that are eligble to use with PAM.
| Application name | Well known port number | Description |
|---|---|---|
| cuseeme | 7648 | CU-SeeMe Protocol |
| exec | 512 | Remote Process execution |
| ftp | 21 | File Transfer Protocol |
| h323 | 1720 | H.323 Protocol |
| http | 80 | Hypertext Transfer Protocol |
| login | 513 | Remote Login |
| msrpc | 135 | Microsoft's Remote Procedure Call |
| netshow | 1755 | Microsoft's Netshow |
| real-audio-video | 7070 | RealAudio and RealVideo |
| sccp | 2000 | Skinny Client Control Protocol |
| smtp | 25 | Simple Mail Transfer Protocol |
| sql-net | 1521 | SQL-NET |
| streamworks | 1558 | Streamworks Protocol |
| sunrpc | 111 | Sun Remote Procedure Call |
| tftp | 69 | Trivial File Transfer Protocol |
| vdolive | 7000 | VDOLive Protocol |
For a complete and up-to-date list of applications supported by PAM, use the following command. Keep in mind that Cisco continually adds newly supported applications:
Router1(config)#ip port-map ? 802-11-iapp IEEE 802.11 WLANs WG IAPP WORD User defined application name. Use prefix 'user-' ace-svr ACE Server/Propagation aol America-Online appleqtc Apple QuickTime bgp Border Gateway Protocol bliff Bliff mail notification bootpc Bootstrap Protocol Client bootps Bootstrap Protocol Server cddbp CD Database Protocol cifs CIFS cisco-fna Cisco FNATIVE cisco-net-mgmt cisco-net-mgmt cisco-svcs cisco license/perf/GDP/X.25/ident svcs cisco-sys Cisco SYSMAINT cisco-tdp Cisco TDP cisco-tna Cisco TNATIVE citrix Citrix IMA/ADMIN/RTMP citriximaclient Citrix IMA Client clp Cisco Line Protocol creativepartnr Creative Partnr creativeserver Creative Server cuseeme CUSeeMe Protocol daytime Daytime (RFC 867) dbase dBASE Unix dbcontrol_agent Oracle dbControl Agent po ddns-v3 Dynamic DNS Version 3 dhcp-failover DHCP Failover discard Discard port dns Domain Name Server dnsix DNSIX Securit Attribute Token Map echo Echo port entrust-svc-handler Entrust KM/Admin Service Handler entrust-svcs Entrust sps/aaas/aams exec Remote Process Execution fcip-port FCIP finger Finger ftp File Transfer Protocol ftps FTP over TLS/SSL gdoi GDOI giop Oracle GIOP/SSL gopher Gopher gtpv0 GPRS Tunneling Protocol Version 0 gtpv1 GPRS Tunneling Protocol Version 1 h323 H.323 Protocol (e.g., MS NetMeeting, Inte h323callsigalt h323 Call Signal Alternate h323gatestat h323gatestat hp-alarm-mgr HP Performance data alarm manager hp-collector HP Performance data collector hp-managed-node HP Performance data managed node hsrp Hot Standby Router Protocol http Hypertext Transfer Protocol https Secure Hypertext Transfer Protocol ica ica (Citrix) icabrowser icabrowser (Citrix) ident Authentication Service igmpv3lite IGMP over UDP for SSM imap Internet Message Access Protocol imap3 Interactive Mail Access Protocol 3 imaps IMAP over TLS/SSL ipass IPASS ipsec-msft Microsoft IPsec NAT-T ipx IPX irc Internet Relay Chat Protocol irc-serv IRC-SERV ircs IRC over TLS/SSL ircu IRCU isakmp ISAKMP iscsi iSCSI iscsi-target iSCSI port kazaa KAZAA kerberos Kerberos kermit kermit l2tp L2TP/L2F ldap Lightweight Directory Access Protocol ldap-admin LDAP admin server port ldaps LDAP over TLS/SSL login Remote login lotusmtap Lotus Mail Tracking Agent Protocol lotusnote Lotus Note mgcp Media Gateway Control Protocol microsoft-ds Microsoft-DS ms-cluster-net MS Cluster Net ms-dotnetster Microsoft .NETster Port ms-sna Microsoft SNA Server/Base ms-sql Microsoft SQL ms-sql-m Microsoft SQL Monitor msexch-routing Microsoft Exchange Routing msrpc Microsoft Remote Procedure Call mysql MySQL n2h2server N2H2 Filter Service Port ncp-tcp NCP (Novell) net8-cman Oracle Net8 Cman/Admin netbios-dgm NETBIOS Datagram Service netbios-ns NETBIOS Name Service netbios-ssn NETBIOS Session Service netshow Microsoft NetShow netstat Variant of systat nfs Network File System nntp Network News Transport Protocol ntp Network Time Protocol oem-agent OEM Agent (Oracle) oracle Oracle oracle-em-vp Oracle EM/VP oraclenames Oracle Names orasrv Oracle SQL*Net v1/v2 pcanywheredata pcANYWHEREdata pcanywherestat pcANYWHEREstat pop3 Post Office Protocol - Version 3 pop3s POP3 over TLS/SSL pptp PPTP pwdgen Password Generator Protocol qmtp-tcp Quick Mail Transfer Protocol r-winsock remote-winsock radius RADIUS & Accounting rdb-dbs-disp Oracle RDB realmedia RealNetwork's Realmedia Protocol realsecure ISS Real Secure Console Service Port router Local Routing Process rsvd-tcp RSVD rsvp-encap RSVP ENCAPSULATION-1/2 rsvp_tunnel RSVP Tunnel rtc-pm-port Oracle RTC-PM port rtelnet Remote Telnet Service rtsp Real Time Streaming Protocol send-tcp SEND shell Remote command sip Session Initiation Protocol sip-tls SIP-TLS skinny Skinny Client Control Protocol sms SMS RCINFO/XFER/CHAT smtp Simple Mail Transfer Protocol snmp Simple Network Management Protocol snmptrap SNMP Trap socks Socks sql-net SQL-NET sqlserv SQL Services sqlsrv SQL Service ssh SSH Remote Login Protocol sshell SSLshell ssp State Sync Protocol streamworks StreamWorks Protocol stun cisco STUN sunrpc SUN Remote Procedure Call syslog SysLog Service syslog-conn Reliable Syslog Service tacacs Login Host Protocol (TACACS) tacacs-ds TACACS-Database Service tarantella Tarantella telnet Telnet telnets Telnet over TLS/SSL tftp Trivial File Transfer Protocol time Time timed Time server tr-rsrb cisco RSRB ttc Oracle TTC/SSL uucp UUCPD/UUCP-RLOGIN vdolive VDOLive Protocol vqp VQP webster Network Disctionary who Who's service wins Microsoft WINS x11 X Window System xdmcp XDM Control Protocol Router1(config)#
See Also
Recipe 27.2