RE: Problem regarding naming of port numbers [7:59276]
You're assuming IOS is a modern operating system or something akin to a data dictionary or programming language. It's not. :-) If the IOS engineers include keywords in the command line interface, then you can use them. If they don't, you can't. Your idea sounds like a good one though. You could suggest it to Cisco, but I don't think they could easily accomdate such a change in philosophy. Priscilla Munit Singla wrote: > > Hi , > There default ports given in the IOS .We can use both to refer > those > ports by names as well as port numbers .Can we customize it and > to the > defaut list ports by names not by numbers. or I want to use it > use > customized ports used for my applications by names in my access > list. > Is there any command to create customized ports by Name. > See what my problem is when we make an extended access lists we > can > define source and destination ports.there is standard list of > ports > there to be used in access list that we can use by number or > name.If we > want to customize the port according to our default application > we can > add that port by number only.Is there a way to refer those > ports by > names in my access list.and can we add these customized TCP/UDP > ports in > the default list which is displayed, so that we can refer it > when ever > we like in our access-lists by name. > Example: > access-list 100 permit tcp any any eq Nortonvirus > Here Nortonvirus keyword should refer to the port 5000. and > this name > and port mapping should get added to the default list so that i > can > refer later.here I am assuming nortons application is using > port number > 5000. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59324&t=59276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem regarding naming of port numbers [7:59276]
Agreed. They do have a way to map additional ports to the pre-defined services though. So for telnet for example you can add port 233, 2333, etc so when you specify 'telnet' in an ACL (or similar list) it matches port 23, 233, and 2333. Whats weird is I was looking at this yesterday, and for some ACL stuff the keyword is http and for other stuff it is www. I'm sure theres other keywords that mean the same as others but thats the one I noticed. Then again i don't port-map matches up to all the ACL keywords, I think it matches up against some other security features. I've used it for telnet in ACLs though with no problems in past. I guess consistency with port #s and service names would be a good thing. Maybe it would be nice if they didn't hardcode these in IOS but referenced a services file on the flash that could be editable like in most OS's. I think this may happen... it seems they are starting to clean up IOS and get rid of old protocols and modularize stuff so it uses similar syntax. MQC for example. --- Priscilla Oppenheimer wrote: > You're assuming IOS is a modern operating system or > something akin to a data > dictionary or programming language. It's not. :-) If > the IOS engineers > include keywords in the command line interface, then > you can use them. If > they don't, you can't. > > Your idea sounds like a good one though. You could > suggest it to Cisco, but > I don't think they could easily accomdate such a > change in philosophy. > > Priscilla > > Munit Singla wrote: > > > > Hi , > > There default ports given in the IOS .We can use > both to refer > > those > > ports by names as well as port numbers .Can we > customize it and > > to the > > defaut list ports by names not by numbers. or I > want to use it > > use > > customized ports used for my applications by names > in my access > > list. > > Is there any command to create customized ports by > Name. > > See what my problem is when we make an extended > access lists we > > can > > define source and destination ports.there is > standard list of > > ports > > there to be used in access list that we can use by > number or > > name.If we > > want to customize the port according to our > default application > > we can > > add that port by number only.Is there a way to > refer those > > ports by > > names in my access list.and can we add these > customized TCP/UDP > > ports in > > the default list which is displayed, so that we > can refer it > > when ever > > we like in our access-lists by name. > > Example: > > access-list 100 permit tcp any any eq Nortonvirus > > Here Nortonvirus keyword should refer to the port > 5000. and > > this name > > and port mapping should get added to the default > list so that i > > can > > refer later.here I am assuming nortons application > is using > > port number > > 5000. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59341&t=59276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem regarding naming of port numbers [7:59276]
At 8:27 AM + 12/16/02, Munit Singla wrote: >Hi , >There default ports given in the IOS .We can use both to refer those >ports by names as well as port numbers .Can we customize it and to the >defaut list ports by names not by numbers. or I want to use it use >customized ports used for my applications by names in my access list. >Is there any command to create customized ports by Name. >See what my problem is when we make an extended access lists we can >define source and destination ports.there is standard list of ports >there to be used in access list that we can use by number or name.If we >want to customize the port according to our default application we can >add that port by number only.Is there a way to refer those ports by >names in my access list.and can we add these customized TCP/UDP ports in >the default list which is displayed, so that we can refer it when ever >we like in our access-lists by name. >Example: >access-list 100 permit tcp any any eq Nortonvirus >Here Nortonvirus keyword should refer to the port 5000. and this name >and port mapping should get added to the default list so that i can >refer later.here I am assuming nortons application is using port number >5000. This is one of the reasons why I keep my configs on a server, preferably UNIX. It's a trivial matter to define Nortonvirus as a macro string when you write a config, which then runs through a macro processor before the configuration goes into the router by TFTP or Telnet. The macro processor will substitute whatever you've told it -- once -- what "Nortonvirus" maps to. In like manner, you can write your standard passwords, access lists, etc., as macros. The configurations you actually read and write (as a human) become much easier to follow. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59346&t=59276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem regarding naming of port numbers [7:59276]
Thanx for the reply.I have heard a lot abt you from this group.Great to meet you. Regards, Munit Priscilla Oppenheimer wrote: > You're assuming IOS is a modern operating system or something akin to a data > dictionary or programming language. It's not. :-) If the IOS engineers > include keywords in the command line interface, then you can use them. If > they don't, you can't. > > Your idea sounds like a good one though. You could suggest it to Cisco, but > I don't think they could easily accomdate such a change in philosophy. > > Priscilla > > Munit Singla wrote: > > > > Hi , > > There default ports given in the IOS .We can use both to refer > > those > > ports by names as well as port numbers .Can we customize it and > > to the > > defaut list ports by names not by numbers. or I want to use it > > use > > customized ports used for my applications by names in my access > > list. > > Is there any command to create customized ports by Name. > > See what my problem is when we make an extended access lists we > > can > > define source and destination ports.there is standard list of > > ports > > there to be used in access list that we can use by number or > > name.If we > > want to customize the port according to our default application > > we can > > add that port by number only.Is there a way to refer those > > ports by > > names in my access list.and can we add these customized TCP/UDP > > ports in > > the default list which is displayed, so that we can refer it > > when ever > > we like in our access-lists by name. > > Example: > > access-list 100 permit tcp any any eq Nortonvirus > > Here Nortonvirus keyword should refer to the port 5000. and > > this name > > and port mapping should get added to the default list so that i > > can > > refer later.here I am assuming nortons application is using > > port number > > 5000. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59360&t=59276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem regarding naming of port numbers [7:59276]
Hi Eric, Thanx for the reply. Can u tell me with which command can we assign differnt prots to same keyword. Regards, Munit "Erick B." wrote: > Agreed. They do have a way to map additional ports to > the pre-defined services though. So for telnet for > example you can add port 233, 2333, etc so when you > specify 'telnet' in an ACL (or similar list) it > matches port 23, 233, and 2333. > > Whats weird is I was looking at this yesterday, and > for some ACL stuff the keyword is http and for other > stuff it is www. I'm sure theres other keywords that > mean the same as others but thats the one I noticed. > Then again i don't port-map matches up to all the ACL > keywords, I think it matches up against some other > security features. I've used it for telnet in ACLs > though with no problems in past. > > I guess consistency with port #s and service names > would be a good thing. Maybe it would be nice if they > didn't hardcode these in IOS but referenced a services > file on the flash that could be editable like in most > OS's. I think this may happen... it seems they are > starting to clean up IOS and get rid of old protocols > and modularize stuff so it uses similar syntax. MQC > for example. > > --- Priscilla Oppenheimer > wrote: > > You're assuming IOS is a modern operating system or > > something akin to a data > > dictionary or programming language. It's not. :-) If > > the IOS engineers > > include keywords in the command line interface, then > > you can use them. If > > they don't, you can't. > > > > Your idea sounds like a good one though. You could > > suggest it to Cisco, but > > I don't think they could easily accomdate such a > > change in philosophy. > > > > Priscilla > > > > Munit Singla wrote: > > > > > > Hi , > > > There default ports given in the IOS .We can use > > both to refer > > > those > > > ports by names as well as port numbers .Can we > > customize it and > > > to the > > > defaut list ports by names not by numbers. or I > > want to use it > > > use > > > customized ports used for my applications by names > > in my access > > > list. > > > Is there any command to create customized ports by > > Name. > > > See what my problem is when we make an extended > > access lists we > > > can > > > define source and destination ports.there is > > standard list of > > > ports > > > there to be used in access list that we can use by > > number or > > > name.If we > > > want to customize the port according to our > > default application > > > we can > > > add that port by number only.Is there a way to > > refer those > > > ports by > > > names in my access list.and can we add these > > customized TCP/UDP > > > ports in > > > the default list which is displayed, so that we > > can refer it > > > when ever > > > we like in our access-lists by name. > > > Example: > > > access-list 100 permit tcp any any eq Nortonvirus > > > Here Nortonvirus keyword should refer to the port > > 5000. and > > > this name > > > and port mapping should get added to the default > > list so that i > > > can > > > refer later.here I am assuming nortons application > > is using > > > port number > > > 5000. > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59361&t=59276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem regarding naming of port numbers [7:59276]
Munit Singla wrote: > > Hi Eric, > Thanx for the reply. > Can u tell me with which command can we assign differnt prots > to same keyword. > Regards, > Munit > Port to Application Mapping (PAM) is a feature of the Cisco IOS Firewall feature set. PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports. Previously, CBAC was limited to inspecting traffic using only the well-known or registered ports associated with an application. Now, PAM allows network administrators to customize network access control for specific applications and services. If you aren't using CBAC, I don't know if you can do this, though. More on PAM here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfpam.htm#13687 Regarding the comment below that CBAC uses the keyword "http" instead of the "www" used in extended access lists, I agree that's strange. It almost seems like CBAC came from a Cisco acquisition perhaps. It's enough different from ordinary IOS to make one wonder. Priscilla > "Erick B." wrote: > > > Agreed. They do have a way to map additional ports to > > the pre-defined services though. So for telnet for > > example you can add port 233, 2333, etc so when you > > specify 'telnet' in an ACL (or similar list) it > > matches port 23, 233, and 2333. > > > > Whats weird is I was looking at this yesterday, and > > for some ACL stuff the keyword is http and for other > > stuff it is www. I'm sure theres other keywords that > > mean the same as others but thats the one I noticed. > > Then again i don't port-map matches up to all the ACL > > keywords, I think it matches up against some other > > security features. I've used it for telnet in ACLs > > though with no problems in past. > > > > I guess consistency with port #s and service names > > would be a good thing. Maybe it would be nice if they > > didn't hardcode these in IOS but referenced a services > > file on the flash that could be editable like in most > > OS's. I think this may happen... it seems they are > > starting to clean up IOS and get rid of old protocols > > and modularize stuff so it uses similar syntax. MQC > > for example. > > > > --- Priscilla Oppenheimer > > wrote: > > > You're assuming IOS is a modern operating system or > > > something akin to a data > > > dictionary or programming language. It's not. :-) If > > > the IOS engineers > > > include keywords in the command line interface, then > > > you can use them. If > > > they don't, you can't. > > > > > > Your idea sounds like a good one though. You could > > > suggest it to Cisco, but > > > I don't think they could easily accomdate such a > > > change in philosophy. > > > > > > Priscilla > > > > > > Munit Singla wrote: > > > > > > > > Hi , > > > > There default ports given in the IOS .We can use > > > both to refer > > > > those > > > > ports by names as well as port numbers .Can we > > > customize it and > > > > to the > > > > defaut list ports by names not by numbers. or I > > > want to use it > > > > use > > > > customized ports used for my applications by names > > > in my access > > > > list. > > > > Is there any command to create customized ports by > > > Name. > > > > See what my problem is when we make an extended > > > access lists we > > > > can > > > > define source and destination ports.there is > > > standard list of > > > > ports > > > > there to be used in access list that we can use by > > > number or > > > > name.If we > > > > want to customize the port according to our > > > default application > > > > we can > > > > add that port by number only.Is there a way to > > > refer those > > > > ports by > > > > names in my access list.and can we add these > > > customized TCP/UDP > > > > ports in > > > > the default list which is displayed, so that we > > > can refer it > > > > when ever > > > > we like in our access-lists by name. > > > > Example: > > > > access-list 100 permit tcp any any eq Nortonvirus > > > > Here Nortonvirus keyword should refer to the port > > > 5000. and > > > > this name > > > > and port mapping should get added to the default > > > list so that i > > > > can > > > > refer later.here I am assuming nortons application > > > is using > > > > port number > > > > 5000. > > > > __ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59394&t=59276 --
Re: Problem regarding naming of port numbers [7:59276]
Thanx Priscilla, for the inf Regards, Munit Singla Priscilla Oppenheimer wrote: > Munit Singla wrote: > > > > Hi Eric, > > Thanx for the reply. > > Can u tell me with which command can we assign differnt prots > > to same keyword. > > Regards, > > Munit > > > > Port to Application Mapping (PAM) is a feature of the Cisco IOS Firewall > feature set. PAM allows you to customize TCP or UDP port numbers for network > services or applications. PAM uses this information to support network > environments that run services using ports that are different from the > registered or well-known ports associated with an application. > > Using the port information, PAM establishes a table of default > port-to-application mapping information at the firewall. The information in > the PAM table enables Context-based Access Control (CBAC) supported services > to run on nonstandard ports. Previously, CBAC was limited to inspecting > traffic using only the well-known or registered ports associated with an > application. Now, PAM allows network administrators to customize network > access control for specific applications and services. > > If you aren't using CBAC, I don't know if you can do this, though. > > More on PAM here: > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfpam.htm#13687 > > Regarding the comment below that CBAC uses the keyword "http" instead of the > "www" used in extended access lists, I agree that's strange. It almost seems > like CBAC came from a Cisco acquisition perhaps. It's enough different from > ordinary IOS to make one wonder. > > Priscilla > > > "Erick B." wrote: > > > > > Agreed. They do have a way to map additional ports to > > > the pre-defined services though. So for telnet for > > > example you can add port 233, 2333, etc so when you > > > specify 'telnet' in an ACL (or similar list) it > > > matches port 23, 233, and 2333. > > > > > > Whats weird is I was looking at this yesterday, and > > > for some ACL stuff the keyword is http and for other > > > stuff it is www. I'm sure theres other keywords that > > > mean the same as others but thats the one I noticed. > > > Then again i don't port-map matches up to all the ACL > > > keywords, I think it matches up against some other > > > security features. I've used it for telnet in ACLs > > > though with no problems in past. > > > > > > I guess consistency with port #s and service names > > > would be a good thing. Maybe it would be nice if they > > > didn't hardcode these in IOS but referenced a services > > > file on the flash that could be editable like in most > > > OS's. I think this may happen... it seems they are > > > starting to clean up IOS and get rid of old protocols > > > and modularize stuff so it uses similar syntax. MQC > > > for example. > > > > > > --- Priscilla Oppenheimer > > > wrote: > > > > You're assuming IOS is a modern operating system or > > > > something akin to a data > > > > dictionary or programming language. It's not. :-) If > > > > the IOS engineers > > > > include keywords in the command line interface, then > > > > you can use them. If > > > > they don't, you can't. > > > > > > > > Your idea sounds like a good one though. You could > > > > suggest it to Cisco, but > > > > I don't think they could easily accomdate such a > > > > change in philosophy. > > > > > > > > Priscilla > > > > > > > > Munit Singla wrote: > > > > > > > > > > Hi , > > > > > There default ports given in the IOS .We can use > > > > both to refer > > > > > those > > > > > ports by names as well as port numbers .Can we > > > > customize it and > > > > > to the > > > > > defaut list ports by names not by numbers. or I > > > > want to use it > > > > > use > > > > > customized ports used for my applications by names > > > > in my access > > > > > list. > > > > > Is there any command to create customized ports by > > > > Name. > > > > > See what my problem is when we make an extended > > > > access lists we > > > > > can > > > > > define source and destination ports.there is > > > > standard list of > > > > > ports > > > > > there to be used in access list that we can use by > > > > number or > > > > > name.If we > > > > > want to customize the port according to our > > > > default application > > > > > we can > > > > > add that port by number only.Is there a way to > > > > refer those > > > > > ports by > > > > > names in my access list.and can we add these > > > > customized TCP/UDP > > > > > ports in > > > > > the default list which is displayed, so that we > > > > can refer it > > > > > when ever > > > > > we like in our access-lists by name. > > > > > Example: > > > > > access-list 100 permit tcp any any eq Nortonvirus > > > > > Here Nortonvirus keyword should refer to the port > > > > 5000. and > > > > > this name > > > > > and port mapping should get added to the default > > > > list so that i > > > > > can > > > > > refer later.here I am assuming nortons application > > > > is using > > > > > po