Wednesday, November 19, 2008

port-map feature

Ever forget what port number maps to what service? A router running Adv IP Services, Adv Security, or Adv Enterprise Services will tell you all the common ones using the show ip port-map command, which is part of the IOS firewall feature set:

Router#sh ip port-map
Default mapping: snmp udp port 161 system defined
Default mapping: echo tcp port 7 system defined
Default mapping: echo udp port 7 system defined
Default mapping: telnet tcp port 23 system defined
Default mapping: wins tcp port 1512 system defined
Default mapping: n2h2server tcp port 9285 system defined
Default mapping: n2h2server udp port 9285 system defined
Default mapping: nntp tcp port 119 system defined
Default mapping: pptp tcp port 1723 system defined
Default mapping: rtsp tcp port 554,8554 system defined
Default mapping: bootpc udp port 68 system defined
Default mapping: gdoi udp port 848 system defined
Default mapping: tacacs udp port 49 system defined


[output truncated]

You can, of course, filter for stuff you find interesting:

Router#sh ip port-map | i 110
Default mapping: pop3 tcp port 110 system defined

Thursday, November 13, 2008

in-line editing of Cisco ACLs

Many people don't realize that reasonably recent versions of IOS have in-line ACL editing.

The way this works is that ACLs have invisible line numbers that only show up when using a show access-list command, not when doing "show run":

R1#sh access-list TEST
Extended IP access list TEST
10 permit tcp host 1.1.1.1 host 2.2.2.2
20 permit gre host 3.3.3.3 host 4.4.4.4

In the example above, the line numbers are shown. If we just look at the config, they're not:

R1#sh run | s access-list
ip access-list extended TEST
permit tcp host 1.1.1.1 host 2.2.2.2
permit gre host 3.3.3.3 host 4.4.4.4


Now, let's say I want to make line number 10 more restrictive:


R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list ext TEST
R1(config-ext-nacl)#15 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
R1(config-ext-nacl)#do sh access-list TEST
Extended IP access list TEST
10 permit tcp host 1.1.1.1 host 2.2.2.2
15 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit gre host 3.3.3.3 host 4.4.4.4
R1(config-ext-nacl)#no 10
R1(config-ext-nacl)#do sh access-list TEST
Extended IP access list TEST
15 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit gre host 3.3.3.3 host 4.4.4.4


If the odd sequence numbers really bother you, you can fix them:

R1(config)#ip access-list resequence TEST ?
<1-2147483647> Starting Sequence Number

R1(config)#ip access-list resequence TEST 10 ?
<1-2147483647> Step to increment the sequence number

R1(config)#ip access-list resequence TEST 10 10 ?


R1(config)#ip access-list resequence TEST 10 10
R1(config)#do sh access-list TEST
Extended IP access list TEST
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit gre host 3.3.3.3 host 4.4.4.4

I'm not sure what IOS version this appeared in, but it's been around since at least the early 12.3T images.