I wonder whether there is any possibility for NBAR to match more than 16 ports for each type of protocol (for example fasttrack)? The problem is that for example imesh is using ports between 1024 and 7000 !!! I successfully managed to block p2p applications using string matching in iptables (linux), the thing is that I have no idea how to create access-list or class-map basing on strings in packets?
Anyone managed to shape todays p2p traffic using cisco routers?
The only way out of the "max 16 port" predicament (?... :) ) that I know of is to use access lists. There is no limit on the number of entries in an access list. If the desired action is same irrespective of the port (which seems to be the case here) then this is the way out. For examples on the same, see the following docs:
Has anyone had success using the kazaa2.pdlm? Does it encounter the same 16 port issue? I have used it, created a class map and set a policy to drop all packets. However, it only stops the packets for about a minute and then they get through (packet counters increase as shown below)
test#sh ip nbar protocol-discovery protocol kazaa2
You can't define ports for kazaa2 NBAR so it probably means that it is working on all ports. I don't know why, but I can't access pdlms on cisco site using standard login. Is it somehow restricted?
I've heard that kazaa2 NBAR wasn't accurate to limit traffic but it is blocking transmitions without any problems . What I propose is to block kazaa2 on all ports except 1214 and put this port into proper class-map. Port 1214 is used only by kazaa and other p2p. Of course kazaa will be working much slower but finally you managed to controll it and didn't blocked it if you are not allowed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...