Dale said:
What's the source of the protocol numbers 1, 6, 17, etc? While I haven't
done network admin for a while, I'm not completely unknowledgeable in the
subject but I have never come across that.
Dale
I did a search last night on Live Search and got that snip from a Cisco page.
http://www-europe.cisco.com/en/US/p...ommand_reference_chapter09186a00800ec9e6.html
The full quote is from the entry for - author_service:
"The services which require authorization. Use any, ftp, http, telnet, or
protocol/port. Use any to provide authorization for all TCP services. To provide
authorization for UDP services, use the protocol/port form.
Services not specified are authorized implicitly. Services specified in the aaa
authentication command do not affect the services which require authorization.
For protocol/port:
protocol—the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on).
port—the TCP or UDP destination port, or port range. The port can also be the
ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all
ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For
protocols other than TCP, UDP, and ICMP the port is not applicable and should
not be used. An example port specification follows.
aaa authorization include udp/53-1024 inside 0 0 0 0
This example enables authorization for DNS lookups to the inside interface for
all clients, and authorizes access to any other services that have ports in the
range of 53 to 1024.
Note Specifying a port range may produce unexpected results at the authorization
server. PIX Firewall sends the port range to the server as a string with the
expectation that the server will parse it out into specific ports. Not all
servers do this. In addition, you may want users to be authorized on specific
services, which will not occur if a range is accepted."
-steve
