|
0:00:13
|
in the next section for content based access control and the zone based policy firewall
|
|
0:00:18
|
we are going to talk about the port application mapping or pam features
|
|
0:00:23
|
that's used the control what are the code numbers
|
|
0:00:26
|
that we are matching moment issue the either the match protocol command
|
|
0:00:30
|
in zone based policy firewall
|
|
0:00:32
|
or the ip inspects
|
|
0:00:33
|
command followed by the individual application match
|
|
0:00:38
|
now by default both the content based access control and the zone based policy firewall
|
|
0:00:43
|
are going to use well known port numbers
|
|
0:00:46
|
that are sign to particular application
|
|
0:00:49
|
for that individual traffic matching
|
|
0:00:51
|
now for example
|
|
0:00:53
|
one more talking about web browsing
|
|
0:00:56
|
if you want to say match protocol HTTP and the case of zone based policy firewall
|
|
0:01:00
|
or the ip inspect command HTTP
|
|
0:01:03
|
for content based access control
|
|
0:01:05
|
it means that we are looking at TCP port 80
|
|
0:01:09
|
now we can verify what are the default port number is using
|
|
0:01:14
|
for the port application mapping if we look at the show ip port map command on the command line interface
|
|
0:01:20
|
now one important point note about this
|
|
0:01:24
|
we want to look at the show ip port map command
|
|
0:01:27
|
not the show ip inbound port-map command
|
|
0:01:30
|
where the inbar variation is going to be port maping related to quality service
|
|
0:01:36
|
that are matched in the mqc syntax of the match protocol
|
|
0:01:40
|
where the regular ip code map
|
|
0:01:42
|
is going to be for the c back and for the zone based firewall
|
|
0:01:49
|
now addition to matching on the standard port values
|
|
0:01:53
|
we will say match protocol telnet we know is going to match port 23
|
|
0:01:59
|
in the case of match protocol HTTP look i say matching 80 which i can alternately change this
|
|
0:02:01
|
but we can't alternately change these
|
|
0:02:05
|
if some particular service that we have running non standard port
|
|
0:02:09
|
for example we have web server that's running on TCP port 8080
|
|
0:02:13
|
we can define a custom code mapping
|
|
0:02:17
|
that's says one more matching to protocol HTTP
|
|
0:02:20
|
not only look at the default of 8080
|
|
0:02:23
|
excuse me that fault 80 we get also look at 80a
|
|
0:02:28
|
now the reason you would want to do this
|
|
0:02:31
|
is that if you are inspecting traffic with either c back or the zone based firewall
|
|
0:02:36
|
but we don't want a set up a complex set of accesslist
|
|
0:02:40
|
to folk individual holes in the firewall
|
|
0:02:43
|
we can still use the inspection engine
|
|
0:02:45
|
but allow run on non standard port values
|
|
0:02:50
|
now it also support this on a per port host
|
|
0:02:53
|
bases on port address range bases
|
|
0:02:56
|
so we can say that we have a number of web server inside the network
|
|
0:03:01
|
but only server A runs on the non standard port of 8080
|
|
0:03:06
|
and rest of them run on normal port 80
|
|
0:03:09
|
we can do this by matching an accesslist
|
|
0:03:12
|
along with the ip port map command
|
|
0:03:15
|
now this port also allow is to have same port number
|
|
0:03:19
|
there is use for different protocol undifferent host
|
|
0:03:23
|
were may be one web server is listening on 8080
|
|
0:03:27
|
but then different ftp server is listening and 8080 ftp servers
|
|
0:03:32
|
based on the particular accesslist or matching
|
|
0:03:35
|
with the n-bar port map
|
|
0:03:37
|
we are able to sign the same port number
|
|
0:03:40
|
to multiple protocols
|
|
0:03:42
|
because we are doing at on a different host bases
|
|
0:03:46
|
now we take a look at the command line
|
|
0:03:50
|
and as i mention here the command looking at is going to be the show ip port map
|
|
0:03:59
|
where this particular code mappings
|
|
0:04:01
|
again i am going to be just for the security feature which either content based access control
|
|
0:04:07
|
which is the ip inspect command
|
|
0:04:09
|
or the zone based policy firewall which is using match protocol
|
|
0:04:13
|
command under the class map type inspect
|
|
0:04:16
|
now we can also use this to figure out
|
|
0:04:20
|
for other application in network what are someother default
|
|
0:04:23
|
protocol numbers and the port numbers
|
|
0:04:26
|
for example here is we have mapping for the bp client which is udp port 68
|
|
0:04:32
|
this is our dhcp request from a client
|
|
0:04:37
|
where we also see one here is the bps or bps servers
|
|
0:04:42
|
which is going to be response
|
|
0:04:44
|
or the offer from the server down to the client
|
|
0:04:48
|
where we see the gdoi
|
|
0:04:50
|
this is the of the multiple ping
|
|
0:04:54
|
that is used for the get vpn feature
|
|
0:04:57
|
which is used udp port 848 we can say
|
|
0:05:01
|
an all see some other application level thing like skinny or h323 this is going to for different media and voice applications
|
|
0:05:11
|
and if we go down towards the bottom we will see what says that
|
|
0:05:15
|
the other web traffic for HTTP
|
|
0:05:19
|
is listening at just default port 80
|
|
0:05:23
|
now we also see that some of this using ranges of address
|
|
0:05:28
|
and multiple protocols
|
|
0:05:30
|
when the case of AOL says TCP 5190-5192
|
|
0:05:35
|
but also udp 5190 and 5192
|
|
0:05:40
|
so not only is this a range addresses but a matching on the two different ip protocol numbers
|
|
0:05:47
|
which are both TCP and udp on this case
|
|
0:05:52
|
now we could source through this said the show ip
|
|
0:05:56
|
show ip port map type include type exclude in the list particular value looking for
|
|
0:06:02
|
would be said show ip port map
|
|
0:06:04
|
and then include HTTP
|
|
0:06:06
|
we see we have separate matches for regular clear text web browsing
|
|
0:06:10
|
and then ASL based HTTP ass
|
|
0:06:13
|
where were using TCP port 80 and 443 by default
|
|
0:06:19
|
now we are to compare to the show ip n-bar port map
|
|
0:06:23
|
these are two separate configurations
|
|
0:06:26
|
now we see a lot of these values are going to match the same by default
|
|
0:06:31
|
we see here that HTTP
|
|
0:06:34
|
is matching port 80 automatically
|
|
0:06:39
|
but the key point is the we want change the and in-bar port mapping
|
|
0:06:44
|
which is for the quality service applications it is not going to affects the security filtering
|
|
0:06:50
|
of either the ip inspecting c back
|
|
0:06:53
|
or the c back engine as it calls for zone based policy firewall
|
|
0:06:57
|
so just over that n-bar port map thats for qos
|
|
0:07:02
|
we may say just regular ip port map that for security that for we want to look at here
|
|
0:07:09
|
so let's take a look at topology and lets test this out
|
|
0:07:13
|
we are again on router 3
|
|
0:07:16
|
we have the zone based policy firewall configured where we have the inside zone
|
|
0:07:21
|
attached to the connection to router 4 we have the outside zone
|
|
0:07:26
|
that is connected from 3 to 2
|
|
0:07:30
|
and i am going to be testing that from that widows pc this is located here down on vlan 180
|
|
0:07:37
|
so the first things i can do is configured router 4 to run the web service
|
|
0:07:43
|
we turn the HTTP server on at regular port 80
|
|
0:07:47
|
and on the zone pairing that i have from outside to the inside on router 3
|
|
0:07:54
|
i can tell a too inspect HTTP traffic
|
|
0:07:57
|
which means that test pc should be able to initiate
|
|
0:08:00
|
the web session to router 4
|
|
0:08:02
|
and get the response back in
|
|
0:08:05
|
because again we are inspecting traffic from one zone to another
|
|
0:08:10
|
it means that return traffic will automatically be allowed assuming that the session is actually active
|
|
0:08:18
|
so unlike the asa here we don't have security level number that are associated with interfaces
|
|
0:08:24
|
so the no technically inside outside interfaces is really just how we define it with the zone pairings
|
|
0:08:32
|
and this is one of advantage this configuration verses c back or verses asa that is much more flexible
|
|
0:08:38
|
as the how we associate policies with the zones decouple from the actual physical interfaces
|
|
0:08:45
|
so lets go next router 3 look at its current configuration for the policies
|
|
0:08:51
|
and again we look at the show zone security
|
|
0:08:56
|
says we have three different zone that are inside outside and dmz
|
|
0:09:00
|
in addition to our system zone that is the self zone
|
|
0:09:05
|
if we look at the show zone pair security
|
|
0:09:11
|
we are paring for traffic going from the inside to the outside
|
|
0:09:16
|
from inside dmz
|
|
0:09:18
|
from outside the dmz from outside to inside
|
|
0:09:24
|
now sense the particular case the web server that are using which is router 4 is located on the inside of the network
|
|
0:09:32
|
i want to amply apply the inspection as we are going from the outside to inside
|
|
0:09:38
|
where this is the source on outside destination zone inside
|
|
0:09:42
|
and the particular policy is using is the outside inside policy
|
|
0:09:47
|
so again based in the fact i am trying to make the class names and policy names
|
|
0:09:52
|
zone zone paring very descriptive
|
|
0:09:55
|
it makes little bit it makes little bit easier one more trying to decode configurations
|
|
0:10:01
|
as the actually what directions
|
|
0:10:03
|
of a filter we trying to apply
|
|
0:10:06
|
so now i know we look at the show run
|
|
0:10:08
|
section outside to inside policy
|
|
0:10:12
|
this is what i need to modify
|
|
0:10:15
|
in order to get traffic
|
|
0:10:16
|
that is web traffic from outside go in
|
|
0:10:19
|
and then for the sessions to return
|
|
0:10:22
|
now i already have this class that is the outside inside exception that is being passed
|
|
0:10:29
|
i could technically modify this
|
|
0:10:31
|
so there i also was matching web traffic going to router 4
|
|
0:10:36
|
but the problem with this since i am saying past instead of inspect
|
|
0:10:40
|
it means that i have the past traffic involved direction
|
|
0:10:43
|
so what iam to do here instead is create a new class
|
|
0:10:47
|
that's going to match web traffic going to router 4
|
|
0:10:50
|
and we will inspect that is going outside in
|
|
0:10:55
|
now we could be very specific i could command accesslist
|
|
0:10:58
|
that's match router 4 address
|
|
0:11:01
|
and call
|
|
0:11:02
|
the other protocol from inside the class
|
|
0:11:05
|
but it just depends how we want to be with the policy
|
|
0:11:08
|
so this case so simply say in the class map
|
|
0:11:12
|
class map type inspect
|
|
0:11:14
|
we will say this is the outside to inside inspect class
|
|
0:11:21
|
where the other one with exception this is the one
|
|
0:11:23
|
that are actually doing the on the inspection on
|
|
0:11:27
|
now just a case i want a add multiple matches later
|
|
0:11:31
|
i may want the change so that's it says to match any as suppose to match any which is the default
|
|
0:11:42
|
so again our particular case i want to match the protocol HTTP
|
|
0:11:47
|
so that's going to be any web traffic that's going from the outside to inside
|
|
0:11:51
|
then i need to call this from the policy map
|
|
0:11:55
|
which is the policy map i inspect outside to inside policy
|
|
0:12:00
|
for the class i created
|
|
0:12:01
|
outside to inside inspect class
|
|
0:12:07
|
i am going to inspect this traffic
|
|
0:12:10
|
so no additional parameters onto it
|
|
0:12:12
|
nothing special about this
|
|
0:12:14
|
we don't need it specify what is the other particular host address we don't need it specify port number
|
|
0:12:20
|
because by default we may look at the show ip port map
|
|
0:12:24
|
and include HTTP
|
|
0:12:27
|
we are going to use port 80 automatically for this traffic
|
|
0:12:32
|
so next thing i am going to do is go to router 4 actually turn the web service on
|
|
0:12:37
|
in global configure simply say ip HTTP server
|
|
0:12:41
|
and this is going to running at standard port 80 by default
|
|
0:12:46
|
so now we are to go to the test PC
|
|
0:12:49
|
then again look at down here on vlan 80
|
|
0:12:53
|
we should ideally be able to send our web browsing sessions to router 4
|
|
0:12:56
|
and then get response back in
|
|
0:13:02
|
where this case router 4 address is 172 .16 .34.4.
|
|
0:13:10
|
we see the log on box pop up which means that we did established basic TCP sessions
|
|
0:13:15
|
now we can see we have connections router 44 manager
|
|
0:13:18
|
let's show we look at different command like the show log output
|
|
0:13:22
|
we can see that we do have
|
|
0:13:24
|
the proper web connection to router 4
|
|
0:13:28
|
now additionally we go to router 3 and look at the show policy map
|
|
0:13:33
|
excuse me the show on service policy
|
|
0:13:38
|
actual rack show........show policy map type
|
|
0:13:42
|
inspect zone pair sessions
|
|
0:13:47
|
we should see from the outside to inside
|
|
0:13:50
|
that we are gone have inside to the inspect class
|
|
0:13:54
|
that we have an active session
|
|
0:13:57
|
now we would actually need to look at this right as we are doing the web browsing
|
|
0:14:02
|
so let's say show policy map type inspect zone pair
|
|
0:14:05
|
outside to inside.............sessions
|
|
0:14:14
|
as we run one of the commands let's go home
|
|
0:14:18
|
and then run show tech support for example
|
|
0:14:21
|
once we do that we should see
|
|
0:14:23
|
that the sessions from router 4
|
|
0:14:26
|
back to the the window machines which in the cases the 192 .168 .118. .110 address
|
|
0:14:33
|
we can see that TCP connection is open
|
|
0:14:38
|
so another really special here look at the show run
|
|
0:14:41
|
section class map or policy map or zone
|
|
0:14:49
|
we see we have the outside to inside inspect class which says match HTTP
|
|
0:14:57
|
within have outside to inside policy
|
|
0:15:00
|
we say for the inspect class wherein inspects that traffic
|
|
0:15:04
|
then the policy is called from the zone pairing
|
|
0:15:07
|
which is the outside to inside pairing
|
|
0:15:10
|
which then calls the policy
|
|
0:15:13
|
so again lot of syntax piece together but over all logic simply means
|
|
0:15:18
|
therefore any web traffic coming from the outside to inside were going to inspect it
|
|
0:15:23
|
now since both the web client and web server
|
|
0:15:26
|
are requesting the sessions on 480
|
|
0:15:30
|
we don't need change anything that's related port application map
|
|
0:15:34
|
now the case were we would need to this
|
|
0:15:37
|
is we were to change what is the port number that the server actually listening up
|
|
0:15:43
|
so i am going to say router 4
|
|
0:15:45
|
that the ip HTTP port number
|
|
0:15:49
|
is some non standard value let's say 65080
|
|
0:15:56
|
this with then mean from the windows clients
|
|
0:16:00
|
i will be able to get router 4 web interface
|
|
0:16:02
|
if i would say use port 65080
|
|
0:16:08
|
and we now look at router 3
|
|
0:16:11
|
we have log message that say traffic is coming from the outside going inside
|
|
0:16:16
|
with this is match class default which is dropping the trape
|
|
0:16:22
|
so even now this is still a web browsing sessions
|
|
0:16:25
|
in the problems is that router is not looking at port 65080
|
|
0:16:31
|
to to associate with this match protocol HTTP we have here under the outside inside inspect class
|
|
0:16:40
|
so this is our port application mapping would be used for
|
|
0:16:44
|
if i would now syn router 3
|
|
0:16:46
|
that's the reason ip port mapping
|
|
0:16:48
|
specifically for HTTP
|
|
0:16:52
|
that is port TCP
|
|
0:16:55
|
65080
|
|
0:16:59
|
we can see we can match multiple port number we can match range of addresses
|
|
0:17:06
|
but now i tell it at listen at 65080
|
|
0:17:10
|
in set up normal 80
|
|
0:17:12
|
if we look at the show ip port map
|
|
0:17:15
|
and include HTTP
|
|
0:17:18
|
we can see that still using default value of 80 because this one system defined
|
|
0:17:24
|
but more additionally having a user defined value of 65080
|
|
0:17:31
|
now what we would see in the changer
|
|
0:17:34
|
is the when the client goes to browse to this address
|
|
0:17:38
|
we don't need add on additional exception
|
|
0:17:41
|
either with an accesslist or another class with past entry
|
|
0:17:46
|
because now on router 3 is looking at the inspect HTTP
|
|
0:17:51
|
it's looking for port 80 in addition to 65080
|
|
0:17:58
|
and we look those sessions again the show policy map type inspect
|
|
0:18:02
|
zone pair the name sessions
|
|
0:18:05
|
we should see one's actually send the traffic
|
|
0:18:09
|
that should now be sessions from the window client to the server
|
|
0:18:15
|
now the server running at port 65080
|
|
0:18:23
|
now again in addition to this normal changes with the port numbers
|
|
0:18:28
|
which is doing here with the ip port map command
|
|
0:18:31
|
we can also change this on a per host basis
|
|
0:18:34
|
where as i have one server are inside running custom port
|
|
0:18:39
|
but the other one's running the standard port values
|
|
0:18:42
|
i may want the change the just in individual host or individual segments bases
|
|
0:18:47
|
so now let's say example
|
|
0:18:50
|
that in our particular topology
|
|
0:18:53
|
that we can change
|
|
0:18:54
|
router 3 mapping 4 the web traffic
|
|
0:18:58
|
but only for host that is on this particular vlan 4 segments
|
|
0:19:02
|
which is the 172
|
|
0:19:05
|
172 .16.4.0/24 address or range
|
|
0:19:13
|
so in addition to use the ip code map command on router 3
|
|
0:19:18
|
we are gone to using accesslist that says change the port value
|
|
0:19:22
|
but i also want to change it just for this specific range of host
|
|
0:19:27
|
and we see the advantages doing this way
|
|
0:19:30
|
is that we do not need manual accesslist defy to interface
|
|
0:19:34
|
and we don't need to change the rest of the zone based policy firewall configuration
|
|
0:19:38
|
anytime or saying match protocol HTTP
|
|
0:19:42
|
with zone based firewall or c back syn ip inspects HTTP
|
|
0:19:47
|
it's gone a look not only at the port number
|
|
0:19:49
|
but also the accesslist to figure out is this going to host that we change custom code mapping 4
|
|
0:20:00
|
so next on router 4
|
|
0:20:02
|
what i gonna do change the port number again
|
|
0:20:05
|
we change at someother value let's say are 30080
|
|
0:20:11
|
where now router 3 is going to configure accesslist
|
|
0:20:14
|
that says accesslist 4
|
|
0:20:18
|
permit 172.16.4.0
|
|
0:20:22
|
with a wildcard mask of 0.0.0.255
|
|
0:20:27
|
so this is going to match any host that touch the address 172 . 16 .4
|
|
0:20:33
|
now we may change are port mapping
|
|
0:20:36
|
the syntax are going to be similar
|
|
0:20:39
|
as before ip port map HTTP
|
|
0:20:43
|
or using TCP port change the 30080
|
|
0:20:47
|
but now we are doing it just 4 address there is matched in accesslist 4
|
|
0:20:55
|
in if we look at the show policy map i can inspect
|
|
0:20:58
|
for the zone pair sessions for the outside inside pairing
|
|
0:21:04
|
we wanna look at
|
|
0:21:06
|
what are the number package in the class default
|
|
0:21:09
|
and what are the number package that's in the the outside inside inspect class
|
|
0:21:14
|
with this is actually matching the HTTP protocol
|
|
0:21:19
|
we can see right now the number of packages have been inspected or 8
|
|
0:21:23
|
the number of fault package dropped or 3
|
|
0:21:27
|
now i really go back to window source and change the port number here
|
|
0:21:32
|
to 30080
|
|
0:21:37
|
if we look at router 3
|
|
0:21:39
|
it says this sessions is being dropped
|
|
0:21:42
|
from window source going 172 .16 .34. 4
|
|
0:21:46
|
at 30080
|
|
0:21:48
|
because the zone appearing outside to inside
|
|
0:21:51
|
is using class to fault to match the flow
|
|
0:21:54
|
and class to fault we need to drop the pack
|
|
0:21:59
|
so we look at the zone pairing sessions we should see
|
|
0:22:05
|
that the class default was implement where it was previously 3 packets now it says
|
|
0:22:09
|
so even now the end host using the correct port value
|
|
0:22:13
|
it's not using the correct address
|
|
0:22:17
|
if we look at the show ip port map
|
|
0:22:20
|
and include HTTP
|
|
0:22:24
|
it's said that multiple mapping for HTTP
|
|
0:22:28
|
the 13080 mapping
|
|
0:22:32
|
is host specific
|
|
0:22:34
|
we not only these have to be these particular port number
|
|
0:22:37
|
has to be
|
|
0:22:39
|
for a host that is matched accesslist 4
|
|
0:22:42
|
again accesslist 4 here
|
|
0:22:45
|
is someone 172 .16 .4.0
|
|
0:22:50
|
so now on the windows clients we are to take the same
|
|
0:22:53
|
url but change it from the 34.4
|
|
0:22:57
|
which was the outside interface router 4
|
|
0:23:01
|
we change to this inside interface
|
|
0:23:03
|
that is matched by the port application mapping
|
|
0:23:07
|
we now see the traffic is allowed
|
|
0:23:14
|
and we look at the show zone pair sessions
|
|
0:23:19
|
once we run a command we should see
|
|
0:23:23
|
that router 3 is is correctly classifies
|
|
0:23:26
|
so traffic coming from the windows source going to router 4 inside
|
|
0:23:31
|
going the port 30080
|
|
0:23:35
|
now this would again also allow you have some other protocol
|
|
0:23:41
|
that is overlapping
|
|
0:23:43
|
the port number are 30080
|
|
0:23:47
|
is long going to 8 different host address
|
|
0:23:51
|
so for example i could say
|
|
0:23:54
|
that on router 4 excuse me router 3
|
|
0:23:58
|
or then have an ip
|
|
0:23:59
|
ip port map
|
|
0:24:01
|
for telnet
|
|
0:24:04
|
and telnet port
|
|
0:24:06
|
was TCP
|
|
0:24:09
|
30080
|
|
0:24:13
|
but this is going to a different host inside
|
|
0:24:17
|
then this is going to value because the classification
|
|
0:24:21
|
with the c back engine is looking at not only the protocol number so is it TCP yes
|
|
0:24:27
|
use it port 30080 yes
|
|
0:24:30
|
but is it also matching this particular access accesslist where traffic is going to
|
|
0:24:36
|
now the other way we can do this is by defining a custom port application mapping
|
|
0:24:42
|
which is defined as a custom protocol
|
|
0:24:45
|
specifically the configuration for this
|
|
0:24:48
|
it's moment issue the ip port map command
|
|
0:24:51
|
it follows by the key words user dash
|
|
0:24:54
|
then any string we can define
|
|
0:24:57
|
so we would say for example ip port map user-custom protocol 1
|
|
0:25:03
|
this is going to work similar to changing the port mapping
|
|
0:25:07
|
for a protocol already exists
|
|
0:25:09
|
however it is some non standard custom application it may make easier us to use define a new value
|
|
0:25:19
|
for then the reference in c back
|
|
0:25:21
|
as the ip inspect command followed by the other protocol user -in under string
|
|
0:25:28
|
or and the case of the zone based policy firewall
|
|
0:25:31
|
inside our class map type inspect
|
|
0:25:33
|
we would say match protocol user - and whatever our custom strings
|
|
0:25:41
|
so let's take a look at in our same particular case here
|
|
0:25:45
|
where we have router 4 as the server
|
|
0:25:49
|
the a TCP server
|
|
0:25:52
|
that is listening from sessions coming from this
|
|
0:25:54
|
this windows machine
|
|
0:25:56
|
now we are the so a listening on the web service
|
|
0:26:01
|
at port 30080
|
|
0:26:04
|
and addition to the configure router 4 to listen 4 telnet package
|
|
0:26:10
|
that are going to port 3100
|
|
0:26:16
|
and whether i can do this is with the routery command
|
|
0:26:19
|
under the vt wild line
|
|
0:26:21
|
where typically router listen it normal port 23 for telnet
|
|
0:26:26
|
if i go to under line bty
|
|
0:26:29
|
and issue the routery command
|
|
0:26:32
|
whatever number i add here
|
|
0:26:34
|
so says 100
|
|
0:26:36
|
the router is now gone start listening
|
|
0:26:39
|
at 3000 plus routery number
|
|
0:26:42
|
5000 7000 and 10000 plus routery number
|
|
0:26:47
|
so from router 4 i will telnet to my own address here
|
|
0:26:51
|
but telnet at port 3100
|
|
0:26:55
|
we should see that listening for telnet service there which is it
|
|
0:27:00
|
now with this here like i say additional listen for some other port values here
|
|
0:27:05
|
but there is a little bit difference
|
|
0:27:07
|
as the how the other protocol works
|
|
0:27:11
|
so you should see when i was issuing the user name there it is echoing multiple charaters back to me
|
|
0:27:16
|
where for the telnet port you would want to use
|
|
0:27:20
|
3000 plus routery number
|
|
0:27:24
|
this other port number for some other
|
|
0:27:27
|
a different application we can use
|
|
0:27:31
|
so now we are going to do on router 3
|
|
0:27:34
|
is to configure a custom protocol definition
|
|
0:27:38
|
that says to look at TCP port 31100
|
|
0:27:42
|
that can be used this inside about zone based policy firewall
|
|
0:27:45
|
this says match protocol whenever custom names are using
|
|
0:27:49
|
that should inspect the traffic going to port 31100
|
|
0:27:55
|
so i first therefore router 3
|
|
0:27:57
|
we will say ip port map
|
|
0:28:01
|
and we look at the content sense help access you can having use your define application name
|
|
0:28:06
|
but use the prefix user dash
|
|
0:28:09
|
so we start with
|
|
0:28:12
|
ip port map user-
|
|
0:28:14
|
give a name or say custom
|
|
0:28:17
|
custom protocol 1
|
|
0:28:20
|
and just like the other configuration just can ask you
|
|
0:28:23
|
is this for TCP is this for udp is it port ball
|
|
0:28:27
|
and what is the particular port number
|
|
0:28:30
|
on this case says TCP port 3100
|
|
0:28:36
|
says unable at the port map entry the application name is to long let's say user
|
|
0:28:43
|
custom user - custom1
|
|
0:28:48
|
so next have look at the show run section class map
|
|
0:28:54
|
i already have my class map i can inspect that is for the outside to the inside
|
|
0:29:01
|
and since then this is a logical or match with a match any
|
|
0:29:05
|
i can simply take the same previous class
|
|
0:29:09
|
and adding new
|
|
0:29:11
|
match protocol
|
|
0:29:14
|
but we should be able to see now that we have option 4
|
|
0:29:22
|
the custom protocol which is user
|
|
0:29:27
|
custom 1 that we say match protocol user
|
|
0:29:31
|
custom one we can see now content sense of help
|
|
0:29:35
|
if we now look at the show policy-map type inspect
|
|
0:29:39
|
the zone based name outside inside and the sessions
|
|
0:29:44
|
we should see for the outside to inside inspect class or now also do any inspection for the protocol name user- custom1
|
|
0:29:55
|
so we now go to window servers
|
|
0:29:58
|
and telnet to router 4 address
|
|
0:30:04
|
we would see that normal port 23 traffic
|
|
0:30:07
|
is going to be dropped i router 3
|
|
0:30:11
|
that port 23 going 172.16.4.4
|
|
0:30:15
|
is dropped on the zone pairing outside to inside
|
|
0:30:19
|
but we are to change that's to go to port 31100
|
|
0:30:27
|
we get seen now the connection is successful
|
|
0:30:29
|
and we look at zone appearing sessions again
|
|
0:30:32
|
we should now see therefore that particular custom 1
|
|
0:30:37
|
we do of the session coming from the windows server going to router 4
|
|
0:30:42
|
but it is going that particular custom value
|
|
0:30:48
|
so again this particular application
|
|
0:30:51
|
would be used if you want to allow custom port number through the firewall
|
|
0:30:55
|
but you do not want to use the past action
|
|
0:30:58
|
that is remember with the past Action that is unique direction of past
|
|
0:31:02
|
where we have to pass it from outside to in
|
|
0:31:05
|
then from inside backed out
|
|
0:31:08
|
now additionally we may talk about some of the advanced application level of inspections
|
|
0:31:13
|
in mass customization you can do with this zone based policy firewall
|
|
0:31:18
|
not only can we do this inspection based on customs port number
|
|
0:31:22
|
i can still use TCP normalisation engine of Cbac
|
|
0:31:26
|
in order to do things like
|
|
0:31:28
|
protecting this particular server
|
|
0:31:30
|
against a TCP
|
|
0:31:32
|
or against any sort of non standard TCP options type of attack
|
|
0:31:38
|
where if i were to do the pass option
|
|
0:31:40
|
i would not have those particular features available to me
|
