access−list 101 permit icmp 192.168.10.0 0.0.0.255 any access−list 112 permit icmp any 192.168.20.0 0.0.0.255 − unreachable
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 − echo−reply
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 − packet−too−big
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 − time−exceeded
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 − traceroute
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 − admin−prohibited
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 echo access−list 112 deny ip 127.0.0.0 0.255.255.255 any access−list 112 deny ip any any
Related solution: |
Found on page: |
Configuring Dynamic NAT Translations |
145 |
Configuring Port Application Mapping
The configuration of Port Application Mapping (PAM) is relatively straightforward and simple, but the power of PAM is really the way in which CBAC uses the information in the PAM table to identify a service or application from traffic flowing through the firewall. With PAM, CBAC can associate nonstandard port numbers with specific protocols. To configure PAM, use the commands in the following steps:
1.Use this global configuration command to establish a port mapping entry using TCP or UDP port number and application name:
ip port−map <application−name> port <port−number> − list <list−number>
The list argument is optional and is used to specify a standard access list that matches specific hosts or subnets that have an application that uses a specific port number.
2.Optionally, configure a standard access list that specifies the specific hosts or subnets that should be configured for host−specific port application mapping.
Looking at the network detailed in Figure 4.6, you can see that Router 3 is the perimeter router, which provides Internet access for Company A. Router 3 has a connection to its ISP via its Serial1/1/0 outside interface. Router 3 also has a connection to its local inside network with FastEthernet0/1/0 interface. Router 3 is configured for PAM. Users on the local inside network use their Web browsers to access Web servers on the outside network using the nonstandard HTTP ports of 6100 through 6105. For Router 3 to map HTTP traffic to port 6100 through 6105, use the configuration shown in Listing 4.9.
143
Figure 4.6: Network layout for PAM.
Listing 4.9: PAM configuration for Router 3.
#ip port−map http port 6100 #ip port−map http port 6101 #ip port−map http port 6102 #ip port−map http port 6103 #ip port−map http port 6104 #ip port−map http port 6105 #end
Notice in Listing 4.9 that Router 3 has been configured to map six sequential port numbers to HTTP traffic. You can view port map table information on the router by issuing the following command:
show ip port−map {application−name | port port−number}
To view the port mapping table of Router 3, issue the show ip port−map http command. The port mapping of Router 3 is displayed in Listing 4.10.
Listing 4.10: Port mapping table on Router 3.
Router−3#show ip port−map http
Default mapping: http port 6100 user defined
Default mapping: http port 6101 user defined
Default mapping: http port 6102 user defined
Default mapping: http port 6103 user defined
Default mapping: http port 6104 user defined
Default mapping: http port 6105 user defined
Default mapping: http port 80 system defined
Router−3#
I issued the show ip port−map command above in Listing 4.10 with the application−name argument to specify that I wanted to display only information related to HTTP traffic. Each of the ports that were configured earlier is displayed in Listing 4.10; notice that they are configured as a user−defined table entry. Also, note that the final line specifies a system−defined entry for HTTP. Table 4.1 earlier in this chapter stated that HTTP was a system−defined entry on the default port 80.
While on the subject of system−defined entries, I'll remove the configuration that created the user−defined entries and display the default PAM table. First I'll remove the prior configuration:
Router−3#config
t Router−3(config)#no ip port−map http port 6100 Router−3(config)#no ip port−map http port 6101 Router−#(config)#no ip port−map http port 6102 Router−3(config)#no ip port−map http port 6103 Router−3(config)#no ip port−map http port 6104 Router−3(config)#no ip port−map http port 6105 Router−3(config)#end
Router−3#
I can now issue the show ip port−map command without using any argument to display the entire PAM table. Issuing the command on Router 3 should now display the default PAM table. Listing 4.11 displays Router 3's default PAM table.
144
Listing 4.11: Default PAM table of Router 3.
Router−3#show ip port−map
...
Default mapping: vdolive port 7000 system defined Default mapping: sunrpc port 111 system defined Default mapping: netshow port 1755 system defined Default mapping: cuseeme port 7648 system defined Default mapping: tftp port 69 system defined Default mapping: rtsp port 8554 system defined Default mapping: realmedia port 7070 system defined
Default mapping: streamworks port 1558 system defined Default mapping: ftp port 21 system defined
Default mapping: telnet port 23 system defined Default mapping: rtsp port 554 system defined Default mapping: h323 port 1720 system defined Default mapping: sip port 5060 system defined Default mapping: smtp port 25 system defined Default mapping: http port 80 system defined Default mapping: msrpc port 135 system defined Default mapping: exec port 512 system defined Default mapping: login port 513 system defined Default mapping: sql−net port 1521 system defined Default mapping: shell port 514 system defined Default mapping: mgcp port 2427 system defined Router−3#
System−defined table entries are important to the port application process, and as mentioned earlier, any attempt to map a user−defined entry over a system−defined entry is not permitted. Attempting to configure HTTP to run on the system−defined port of 21, which maps to FTP, is not allowed. An example of this type of attempt is shown in Listing 4.12.
Listing 4.12: Attempt to map over a system−defined entry.
Router−3#config t
Router−3(config)#ip port−map http port 21
Command fail: the port 21 has already been defined for ftp by − the system.
No change can be made to the system defined port − mappings. Router−3(config)#end
Router−3#
Host−defined entries are actually user−defined entries that have a finer granularity of configuration on a per−host or per−subnet basis. In Figure 4.7, three hosts on the internal inside network need FTP access to a host on the external outside network of Router 3. The host on the external outside network of Router 3 only uses FTP on port 7142. To configure Router 3 to map the host−defined entries for FTP on Router 3, you must configure an access list to specify which hosts need the mapping created. Listing 4.13 shows the configuration needed to accomplish this.
145
Figure 4.7: Host that needs PAM configuration.
Listing 4.13: Creating host−defined entries on Router 3.
Router−3#config t
Router−3(config)#access−list 1 permit 192.168.10.240
Router−3(config)#access−list 1 permit 192.168.11.16
Router−3(config)#access−list 1 permit 192.168.11.112
Router−3(config)#ip port−map ftp port 7142 list 1
Router−3(config)#end
If you examine the output of the show ip port−map command, you can see that Router 3 has created the host−defined entry and bound it to access list 1. Listing 4.14 shows the output from the show ip portmap command with the newly created host−defined entries in the PAM table.
Listing 4.14: Display of the host−defined PAM table entries.
Router−3#show ip port−map
...
Default mapping: http port 80 system
Host specific: ftp port 7142 in list 1 user Default mapping: ftp port 21 system Default mapping: msrpc port 135 system Default mapping: exec port 512 system Default mapping: login port 513 system Default mapping: sql−net port 1521 system Default mapping: shell port 514 system Default mapping: mgcp port 2427 system Router−3#
Just as host−specific entries can populate the PAM table (which was demonstrated in the configuration above), so can subnets. The three hosts on the internal network in the configuration in Listing 4.13 all need FTP access to a host on the external network using port 7142; however, all hosts on each of the 192.168.10.0 and 192.168.11.0 subnets need to access a RealVideo server on the outside network using port number 5050 as opposed to the default 7070. To configure subnetdefined entries, I will create a new access list and bind it to the ip port−map command. Listing 4.15 shows the configuration.
Listing 4.15: Subnet−defined PAM configuration.
Router−3#config t
...
Router−3(config)#access−list 2 permit 192.168.10.0
146
Router−3(config)#access−list 2 permit 192.168.11.0
Router−3(config)#ip port−map realmedia port 5050 list 2
Router−3(config)#end
Router−3#
Pay particular attention to the last octet of the IP addresses configured in Listing 4.15; this octet allows the router to determine whether the access list is a host−specific entry or a subnet−specific entry. Notice that the number 0 is specified and not a number between 1 and 254 for the class C subnet. Issuing the show ip port−map command again displays the PAM table for Router 3. Listing 4.16 shows the output of the PAM table.
Listing 4.16: Output of the PAM table on Router 3.
Router−3#sh ip port−map
Default mapping: netshow port 1755 system
Host specific: realmedia port 5050 in list 2 userDefault − mapping: realmedia port 7070 system
Default mapping: ftp port 21 system
Host specific: ftp port 7142 in list 1 user Default mapping: mgcp port 2427 system Router−3#
Listing 4.12 showed that a system−defined entry could not be overwritten; however, a host−specific entry or a subnet−specific entry can change the default system entry on a per−host or per−subnet basis for any or all system entries. Referring again to Listing 4.13, Router 3 was configured to create a port table mapping for each of the three hosts listed so that the hosts could access an FTP server on the outside network using port 7142. The three hosts now have a requirement to access a Web server on the outside network, and they need to access the Web server using the port that is normally used by FTP, port 21. So Router 3 needs to create a PAM table entry such that HTTP traffic maps to port 21, FTP's standard port. To configure Router 3 to meet the new requirements of the three hosts and override the system−defined entries, use the configuration shown in Listing 4.17.
Listing 4.17: Router 3 configured to override system−defined entries.
Router−3#config t
Router−3(config)#access−list 1 permit 192.168.10.240
Router−3(config)#access−list 1 permit 192.168.11.16
Router−3(config)#access−list 1 permit 192.168.11.112
Router−3(config)#ip port−map http port 21 list 1
Router−3(config)#end
First, notice that the router did not prompt with any error message as a result of the configuration change. If you examine the output of the show ip port−map command, you can see that HTTP is indeed a userdefined map that is mapped to port 21. Listing 4.18 displays the output.
Listing 4.18: Display of PAM table on Router 3.
Router−3#sh ip port−map |
|
|
|
|
... |
|
|
|
|
Default mapping: vdolive |
port 7000 |
|
system |
|
Host specific: realmedia |
port |
5050 |
in list 2 |
user |
Default mapping: realmedia |
port |
7070 |
|
system |
147
Default mapping: |
ftp |
port 21 |
|
system |
Host specific: |
http |
port 21 |
in list 1 |
user |
Default mapping: |
http |
port 80 |
|
system |
Default mapping: |
exec |
port 512 |
|
system |
Default mapping: |
login |
port 513 |
|
system |
Default mapping: |
sql−net |
port 1521 |
|
system |
Default mapping: |
shell |
port 514 |
|
system |
Host specific: |
ftp |
port 7142 |
in list 1 |
user |
Default mapping: mgcp |
port 2427 |
|
system |
|
Router−3# |
|
|
|
|
|
|
|
|
|
Finally, two new inside hosts need to access two different outside hosts using different services; however, both hosts need to use the same port number. The host with the IP address of 192.168.10.118 needs the Telnet service to be an external host and the Telnet service needs to run over port 6200. The host with the IP address of 192.168.11.205 needs to access the Microsoft NetShow service of a host on the external network and also needs the Microsoft NetShow service to run over port 6200. The configuration for Router 3 in Listing 4.19 accomplishes the hosts' requirements.
Listing 4.19: Configuration of mapping different hosts to the same port.
Router−3#config t
Router−3(config)#access−list 12 permit 192.168.10.118
Router−3(config)#access−list 13 permit 192.168.11.205
Router−3(config)#ip port−map telnet port 6200 list 12
Router−3(config)#ip port−map netshow port 6200 list 13
Router−3(config)#end
The final configuration of Router 3 can be displayed using the show running−config command (see Listing 4.20).
Listing 4.20: Final configuration of Router 3.
Router−3#sh ru
Building configuration...
!
ip port−map http port 6100 ip port−map http port 6101 ip port−map http port 6102 ip port−map http port 6103 ip port−map http port 6104 ip port−map http port 6105
ip port−map realmedia port 5050 list 2 ip port−map http port 21 list 1
ip port−map ftp port 7142 list 1
ip port−map netshow port 6200 list 13 ip port−map telnet port 6200 list 12
!
access−list 1 permit 192.168.11.112 access−list 1 permit 192.168.11.16 access−list 1 permit 192.168.10.240 access−list 2 permit 192.168.10.0 access−list 2 permit 192.168.11.0 access−list 12 permit 192.168.10.118 access−list 13 permit 192.168.11.205
!
148