11-18-2004 07:58 AM - edited 03-02-2019 08:02 PM
We use NBAR to block all P2P traffic, e.g. kazaa, naspter, etc.
However, we have user to need to telnet outside world with port number 8888, but he couldn't get to it. After investigating, we found out naspter is using port 8888. So we have to take out protocal naspter to allow the user to access telnet 8888.
I try to use access-list to open a port, but seems like NBAR supercede access-list. How to block naspter and allow user to telnet with port 8888 at the same time??
Thanks a millions
11-24-2004 09:39 AM
One other way that I could think of is to block server.napster.com using nbar instead of having the match protocol napster command which blocks ports 7777 and 8888 used by napster application. You can find the napster protocol specifications at:
11-26-2004 04:05 AM
Maybe you can try this (It probably need some tuning). My main idea is: Match teknet traffic before napster. Aprove telnet and drop napster.
class-map match-any Telnet
match protocol telnet
class-map match-any Napster
match protocol napster
!
policy-map LAN
class Telnet
police conform-action transmit
class Napster
police conform-action drop
!
interface FastEthernet0/0
ip address x.x.x.x y.y.y.y
service-policy input LAN
11-26-2004 08:00 PM
we have no problem to telnet, but one of users need to access telnet with port number 8888. According your config, it will still block telnet with port 8888.
It is because you allow regular telnet, then block 8888. Please let me know if I am wrong or right.
Thanks your reply.
11-27-2004 12:52 AM
According to Cisco NBAR is able to inspect on a "deeper" level and will discover telnet on othet TCP ports then the usual IANA port (ie other then telnet port 23). The function is called: ip nbar port-map.
Usage: ip nbar port-map protocol-name [tcp | udp] port-number.
So in your case it would be:
"ip nbar port-map telnet tcp 8888"
regards,
RdR
11-30-2004 01:10 PM
Hi,
It works, thanks so much for help. Now I block napster and allow telnet 8888 at the same time.
One question if you can. How come I can use telnet 23 also, I thought when I use "ip nbar port-map telnet tcp 8888", it will only allow telnet 8888, not regular telnet. However, the router will allow regular telnet and telnet 8888 both. Just curious!!!
Thanks millions
Ken
12-01-2004 06:43 AM
Ken,
I think the behaviour is by design See configuring the ip nbar port-map function:
"To configure NBAR to search for a protocol or protocol name using a port number other than the well-known port, use the ip nbar port-map global configuration command. Use the no form of this command to look for the protocol name using only the well-known port number."
The last sentence states: "using only". So in other words, the configured port (8888) is used to scan for telnet, but ALSO the well-known port (23).
regards,
RdR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide