Daily Archives: January 24, 2012

HTTP Inspection on non-standard ports with the Cisco Zone-based Policy Firewall

The current post uses the ip port-map command as an auxiliary resource to enable HTTP inspection on the Cisco Zone-based Policy Firewall (ZFW).

In our reference topology HTTP is enabled on ports 2002 and 2003 for host 172.17.3.40. The ip port-map command simply instructs the router to treat these ports as HTTP and not as generic TCP. With this type of setup, any specific L7 configuration that applies to HTTP (on its default port) would equally be valid for the non-standard range of ports.

Inspecting HTTP on non-standard ports with the Cisco Zone-based Policy Firewall

** Topics for Study:

  • Play with the ip port-map command for other protocols. What is the default port for SIP ? And for MGCP ?
  • What is different in the audit-trail message in this example when contrasted to the connection logging messages for a single channel protocol like telnet ? (If needed, revisit previous posts in the ZFW series).
  • Does the ip port-map command apply to Context Based Access Control (CBAC) ?

** Related Posts:

Advertisements

Leave a comment

Filed under English, Firewalls, Security