cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
5
Helpful
6
Replies

NBAR questions!!

jolo07310
Level 5
Level 5

We use NBAR to block all P2P traffic, e.g. kazaa, naspter, etc.

However, we have user to need to telnet outside world with port number 8888, but he couldn't get to it. After investigating, we found out naspter is using port 8888. So we have to take out protocal naspter to allow the user to access telnet 8888.

I try to use access-list to open a port, but seems like NBAR supercede access-list. How to block naspter and allow user to telnet with port 8888 at the same time??

Thanks a millions

6 Replies 6

didyap
Level 6
Level 6

One other way that I could think of is to block server.napster.com using nbar instead of having the match protocol napster command which blocks ports 7777 and 8888 used by napster application. You can find the napster protocol specifications at:

http://opennap.sourceforge.net/napster.txt

rrijk
Level 1
Level 1

Maybe you can try this (It probably need some tuning). My main idea is: Match teknet traffic before napster. Aprove telnet and drop napster.

class-map match-any Telnet

match protocol telnet

class-map match-any Napster

match protocol napster

!

policy-map LAN

class Telnet

police conform-action transmit

class Napster

police conform-action drop

!

interface FastEthernet0/0

ip address x.x.x.x y.y.y.y

service-policy input LAN

we have no problem to telnet, but one of users need to access telnet with port number 8888. According your config, it will still block telnet with port 8888.

It is because you allow regular telnet, then block 8888. Please let me know if I am wrong or right.

Thanks your reply.

According to Cisco NBAR is able to inspect on a "deeper" level and will discover telnet on othet TCP ports then the usual IANA port (ie other then telnet port 23). The function is called: ip nbar port-map.

Usage: ip nbar port-map protocol-name [tcp | udp] port-number.

So in your case it would be:

"ip nbar port-map telnet tcp 8888"

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cd0.html

regards,

RdR

Hi,

It works, thanks so much for help. Now I block napster and allow telnet 8888 at the same time.

One question if you can. How come I can use telnet 23 also, I thought when I use "ip nbar port-map telnet tcp 8888", it will only allow telnet 8888, not regular telnet. However, the router will allow regular telnet and telnet 8888 both. Just curious!!!

Thanks millions

Ken

Ken,

I think the behaviour is by design See configuring the ip nbar port-map function:

"To configure NBAR to search for a protocol or protocol name using a port number other than the well-known port, use the ip nbar port-map global configuration command. Use the no form of this command to look for the protocol name using only the well-known port number."

The last sentence states: "using only". So in other words, the configured port (8888) is used to scan for telnet, but ALSO the well-known port (23).

regards,

RdR