Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
3
Replies

ip port-map user on ASR 1000 IOS XE

Damjan Cvetko
Beginner
Beginner

‎07-12-2013 12:10 AM - edited ‎03-11-2019 07:11 PM

Hi.

I'm trying to build a firewall and wanted to use the "ip port-map user-xxx ..." command to make a custom protocol that I could then use in protocol statement insice a class-map type inspect.

Is this yet another thing missing from IOS XE, like the lack of object-group command?

Best regards.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-12-2013 11:10 AM

Hello Damjan,

You are right Sr,

ASR ZBFW does not support user defined port-mapping

Now, you could match the traffic with an ACL and inspect it, the ZBFW will not break the connection, it will actually be succesfull so even though the command is not supported on the ASR1K you could still make it happen

EDIT: If you are going to create a user-defined protocol the ACL would be the same thing,

          If you are trying to map a standard protocol to a non-standard protocol then you need to use the IP port-map command (not supported ASR1K)

So bottom line: In your case with the ACL you will be more than fine

For Networking Posts check my blog at http://laguiadelnetworking.com/


Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

GP cisco
Beginner
Beginner

‎03-18-2016 07:51 AM

Hi All,

I have just run into this issue on with iOS XE as this post is 3 years old i wonder if you had found a workaround without resorting to using ACL's ?

Cheers

-Olly

0 Helpful

Damjan Cvetko
Beginner
Beginner
In response to GP cisco

‎03-19-2016 10:53 PM

Hi Olly.

At that time it was not possible. But I have not kept track of the issue so I do not know if things are better now.

We ended up developing an internal webapp to generate and manage the firewall rules. We generate everything from policy-maps, class-maps and ip/ipv6 acls.

Best regards,

-Damjan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents