Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
5
Helpful
6
Replies

NBAR questions!!

jolo07310
Level 5
Level 5

‎11-18-2004 07:58 AM - edited ‎03-02-2019 08:02 PM

We use NBAR to block all P2P traffic, e.g. kazaa, naspter, etc.

However, we have user to need to telnet outside world with port number 8888, but he couldn't get to it. After investigating, we found out naspter is using port 8888. So we have to take out protocal naspter to allow the user to access telnet 8888.

I try to use access-list to open a port, but seems like NBAR supercede access-list. How to block naspter and allow user to telnet with port 8888 at the same time??

Thanks a millions

Labels:
0 Helpful
6 Replies 6

didyap
Level 6
Level 6

‎11-24-2004 09:39 AM

One other way that I could think of is to block server.napster.com using nbar instead of having the match protocol napster command which blocks ports 7777 and 8888 used by napster application. You can find the napster protocol specifications at:

http://opennap.sourceforge.net/napster.txt

0 Helpful

rrijk
Level 1
Level 1

‎11-26-2004 04:05 AM

Maybe you can try this (It probably need some tuning). My main idea is: Match teknet traffic before napster. Aprove telnet and drop napster.

class-map match-any Telnet

match protocol telnet

class-map match-any Napster

match protocol napster

!

policy-map LAN

class Telnet

police conform-action transmit

class Napster

police conform-action drop

!

interface FastEthernet0/0

ip address x.x.x.x y.y.y.y

service-policy input LAN

0 Helpful

jolo07310
Level 5
Level 5
In response to rrijk

‎11-26-2004 08:00 PM

we have no problem to telnet, but one of users need to access telnet with port number 8888. According your config, it will still block telnet with port 8888.

It is because you allow regular telnet, then block 8888. Please let me know if I am wrong or right.

Thanks your reply.

0 Helpful

rrijk
Level 1
Level 1
In response to jolo07310

‎11-27-2004 12:52 AM

According to Cisco NBAR is able to inspect on a "deeper" level and will discover telnet on othet TCP ports then the usual IANA port (ie other then telnet port 23). The function is called: ip nbar port-map.

Usage: ip nbar port-map protocol-name [tcp | udp] port-number.

So in your case it would be:

"ip nbar port-map telnet tcp 8888"

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cd0.html

regards,

RdR

0 Helpful

jolo07310
Level 5
Level 5
In response to rrijk

‎11-30-2004 01:10 PM

Hi,

It works, thanks so much for help. Now I block napster and allow telnet 8888 at the same time.

One question if you can. How come I can use telnet 23 also, I thought when I use "ip nbar port-map telnet tcp 8888", it will only allow telnet 8888, not regular telnet. However, the router will allow regular telnet and telnet 8888 both. Just curious!!!

Thanks millions

Ken

0 Helpful

rrijk
Level 1
Level 1
In response to jolo07310

‎12-01-2004 06:43 AM

Ken,

I think the behaviour is by design See configuring the ip nbar port-map function:

"To configure NBAR to search for a protocol or protocol name using a port number other than the well-known port, use the ip nbar port-map global configuration command. Use the no form of this command to look for the protocol name using only the well-known port number."

The last sentence states: "using only". So in other words, the configured port (8888) is used to scan for telnet, but ALSO the well-known port (23).

regards,

RdR

Customers Also Viewed These Support Documents