Cisco ASA 1000V ASDM Configuration Guide, 6.7
Addresses, Protocols, and Ports
Downloads: This chapterpdf (PDF - 173.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Addresses, Protocols, and Ports

Table Of Contents

Addresses, Protocols, and Ports

IPv4 Addresses and Subnet Masks

Classes

Private Networks

Subnet Masks

Determining the Subnet Mask

Determining the Address to Use with the Subnet Mask

Protocols and Applications

TCP and UDP Ports

Local Ports and Protocols

ICMP Types


Addresses, Protocols, and Ports


This appendix provides a quick reference for IP addresses, protocols, and applications. This appendix includes the following sections:

IPv4 Addresses and Subnet Masks

Protocols and Applications

TCP and UDP Ports

Local Ports and Protocols

ICMP Types

IPv4 Addresses and Subnet Masks

This section describes how to use IPv4 addresses in the ASA 1000V. An IPv4 address is a 32-bit number written in dotted-decimal notation: four 8-bit fields (octets) converted from binary to decimal numbers, separated by dots. The first part of an IP address identifies the network on which the host resides, while the second part identifies the particular host on the given network. The network number field is called the network prefix. All hosts on a given network share the same network prefix but must have a unique host number. In classful IP, the class of the address determines the boundary between the network prefix and the host number.

This section includes the following topics:

Classes

Private Networks

Subnet Masks

Classes

IP host addresses are divided into three different address classes: Class A, Class B, and Class C. Each class fixes the boundary between the network prefix and the host number at a different point within the 32-bit address. Class D addresses are reserved for multicast IP.

Class A addresses (1.xxx.xxx.xxx through 126.xxx.xxx.xxx) use only the first octet as the network prefix.

Class B addresses (128.0.xxx.xxx through 191.255.xxx.xxx) use the first two octets as the network prefix.

Class C addresses (192.0.0.xxx through 223.255.255.xxx) use the first three octets as the network prefix.

Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets.

Private Networks

If you need large numbers of addresses on your network, and they do not need to be routed on the Internet, you can use private IP addresses that the Internet Assigned Numbers Authority (IANA) recommends (see RFC 1918). The following address ranges are designated as private networks that should not be advertised:

10.0.0.0 through 10.255.255.255

172.16.0.0 through 172.31.255.255

192.168.0.0 through 192.168.255.255

Subnet Masks

A subnet mask lets you convert a single Class A, B, or C network into multiple networks. With a subnet mask, you can create an extended network prefix that adds bits from the host number to the network prefix. For example, a Class C network prefix always consists of the first three octets of the IP address. But a Class C extended network prefix uses part of the fourth octet as well.

Subnet masking is easy to understand if you use binary notation instead of dotted decimal. The bits in the subnet mask have a one-to-one correspondence with the Internet address:

The bits are set to 1 if the corresponding bit in the IP address is part of the extended network prefix.

The bits are set to 0 if the bit is part of the host number.

Example 1: If you have the Class B address 129.10.0.0 and you want to use the entire third octet as part of the extended network prefix instead of the host number, then you must specify a subnet mask of 11111111.11111111.11111111.00000000. This subnet mask converts the Class B address into the equivalent of a Class C address, where the host number consists of the last octet only.

Example 2: If you want to use only part of the third octet for the extended network prefix, then you must specify a subnet mask like 11111111.11111111.11111000.00000000, which uses only 5 bits of the third octet for the extended network prefix.

You can write a subnet mask as a dotted-decimal mask or as a /bits ("slash bits") mask. In Example 1, for a dotted-decimal mask, you convert each binary octet into a decimal number: 255.255.255.0. For a /bits mask, you add the number of 1s: /24. In Example 2, the decimal number is 255.255.248.0 and the /bits is /21.

You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix. For example, 192.168.0.0/20.

This section includes the following topics:

Determining the Subnet Mask

Determining the Address to Use with the Subnet Mask

Determining the Subnet Mask

To determine the subnet mask based on how many hosts you want, see Table A-1.

Table A-1 Hosts, Bits, and Dotted-Decimal Masks 

Hosts 1
/Bits Mask
Dotted-Decimal Mask

16,777,216

/8

255.0.0.0 Class A Network

65,536

/16

255.255.0.0 Class B Network

32,768

/17

255.255.128.0

16,384

/18

255.255.192.0

8192

/19

255.255.224.0

4096

/20

255.255.240.0

2048

/21

255.255.248.0

1024

/22

255.255.252.0

512

/23

255.255.254.0

256

/24

255.255.255.0 Class C Network

128

/25

255.255.255.128

64

/26

255.255.255.192

32

/27

255.255.255.224

16

/28

255.255.255.240

8

/29

255.255.255.248

4

/30

255.255.255.252

Do not use

/31

255.255.255.254

1

/32

255.255.255.255 Single Host Address

1 The first and last number of a subnet are reserved, except for /32, which identifies a single host.


Determining the Address to Use with the Subnet Mask

The following sections describe how to determine the network address to use with a subnet mask for a Class C-size and a Class B-size network. This section includes the following topics:

Class C-Size Network Address

Class B-Size Network Address

Class C-Size Network Address

For a network between 2 and 254 hosts, the fourth octet falls on a multiple of the number of host addresses, starting with 0. For example, Table A-2 shows the 8-host subnets (/29) of 192.168.0.x.

Table A-2 Class C-Size Network Address 

Subnet with Mask /29 (255.255.255.248)
Address Range 1

192.168.0.0

192.168.0.0 to 192.168.0.7

192.168.0.8

192.168.0.8 to 192.168.0.15

192.168.0.16

192.168.0.16 to 192.168.0.31

192.168.0.248

192.168.0.248 to 192.168.0.255

1 The first and last address of a subnet are reserved. In the first subnet example, you cannot use 192.168.0.0 or 192.168.0.7.


Class B-Size Network Address

To determine the network address to use with the subnet mask for a network with between 254 and 65,534 hosts, you need to determine the value of the third octet for each possible extended network prefix. For example, you might want to subnet an address like 10.1.x.0, where the first two octets are fixed because they are used in the extended network prefix, and the fourth octet is 0 because all bits are used for the host number.

To determine the value of the third octet, follow these steps:


Step 1 Calculate how many subnets you can make from the network by dividing 65,536 (the total number of addresses using the third and fourth octet) by the number of host addresses you want.

For example, 65,536 divided by 4096 hosts equals 16.

Therefore, there are 16 subnets of 4096 addresses each in a Class B-size network.

Step 2 Determine the multiple of the third octet value by dividing 256 (the number of values for the third octet) by the number of subnets:

In this example, 256/16 = 16.

The third octet falls on a multiple of 16, starting with 0.

Therefore, Table A-3 shows the 16 subnets of the network 10.1.

Table A-3 Subnets of Network

Subnet with Mask /20 (255.255.240.0)
Address Range 1

10.1.0.0

10.1.0.0 to 10.1.15.255

10.1.16.0

10.1.16.0 to 10.1.31.255

10.1.32.0

10.1.32.0 to 10.1.47.255

10.1.240.0

10.1.240.0 to 10.1.255.255

1 The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255.



Protocols and Applications

Table A-4 lists the protocol literal values and port numbers; either can be entered in ASA 1000V commands.

Table A-4 Protocol Literal Values 

Literal
Value
Description

gre

47

Generic Routing Encapsulation.

icmp

1

Internet Control Message Protocol, RFC 792.

igmp

2

Internet Group Management Protocol, RFC 1112.

igrp

9

Interior Gateway Routing Protocol.

ip

0

Internet Protocol.

ipinip

4

IP-in-IP encapsulation.

ipsec

50

IP Security. Entering the ipsec protocol literal is equivalent to entering the esp protocol literal.

nos

94

Network Operating System (Novell's NetWare).

pcp

108

Payload Compression Protocol.

pptp

47

Point-to-Point Tunneling Protocol. Entering the pptp protocol literal is equivalent to entering the gre protocol literal.

snp

109

Sitara Networks Protocol.

tcp

6

Transmission Control Protocol, RFC 793.

udp

17

User Datagram Protocol, RFC 768.


Protocol numbers can be viewed online at the IANA website:

http://www.iana.org/assignments/protocol-numbers

TCP and UDP Ports

Table A-5 lists the literal values and port numbers; either can be entered in ASA 1000V commands. See the following caveats:

The ASA 1000V uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net. This value, however, does not agree with IANA port assignments.

The ASA 1000V listens for RADIUS on ports 1645 and 1646. If your RADIUS server uses the standard ports 1812 and 1813, you can configure the ASA 1000V to listen to those ports using the authentication-port and accounting-port commands.

To assign a port for DNS access, use the domain literal value, not dns. If you use dns, the ASA 1000V assumes you meant to use the dnsix literal value.

Port numbers can be viewed online at the IANA website:

http://www.iana.org/assignments/port-numbers

Table A-5 Port Literal Values 

Literal
TCP or UDP?
Value
Description

aol

TCP

5190

America Online

bgp

TCP

179

Border Gateway Protocol, RFC 1163

biff

UDP

512

Used by mail system to notify users that new mail is received

bootpc

UDP

68

Bootstrap Protocol Client

bootps

UDP

67

Bootstrap Protocol Server

chargen

TCP

19

Character Generator

citrix-ica

TCP

1494

Citrix Independent Computing Architecture (ICA) protocol

cmd

TCP

514

Similar to exec except that cmd has automatic authentication

ctiqbe

TCP

2748

Computer Telephony Interface Quick Buffer Encoding

daytime

TCP

13

Day time, RFC 867

discard

TCP, UDP

9

Discard

domain

TCP, UDP

53

DNS

dnsix

UDP

195

DNSIX Session Management Module Audit Redirector

echo

TCP, UDP

7

Echo

exec

TCP

512

Remote process execution

finger

TCP

79

Finger

ftp

TCP

21

File Transfer Protocol (control port)

ftp-data

TCP

20

File Transfer Protocol (data port)

gopher

TCP

70

Gopher

https

TCP

443

HTTP over SSL

h323

TCP

1720

H.323 call signalling

hostname

TCP

101

NIC Host Name Server

ident

TCP

113

Ident authentication service

imap4

TCP

143

Internet Message Access Protocol, version 4

irc

TCP

194

Internet Relay Chat protocol

isakmp

UDP

500

Internet Security Association and Key Management Protocol

kerberos

TCP, UDP

750

Kerberos

klogin

TCP

543

KLOGIN

kshell

TCP

544

Korn Shell

ldap

TCP

389

Lightweight Directory Access Protocol

ldaps

TCP

636

Lightweight Directory Access Protocol (SSL)

lpd

TCP

515

Line Printer Daemon - printer spooler

login

TCP

513

Remote login

lotusnotes

TCP

1352

IBM Lotus Notes

mobile-ip

UDP

434

MobileIP-Agent

nameserver

UDP

42

Host Name Server

netbios-ns

UDP

137

NetBIOS Name Service

netbios-dgm

UDP

138

NetBIOS Datagram Service

netbios-ssn

TCP

139

NetBIOS Session Service

nntp

TCP

119

Network News Transfer Protocol

ntp

UDP

123

Network Time Protocol

pcanywhere-status

UDP

5632

pcAnywhere status

pcanywhere-data

TCP

5631

pcAnywhere data

pim-auto-rp

TCP, UDP

496

Protocol Independent Multicast, reverse path flooding, dense mode

pop2

TCP

109

Post Office Protocol - Version 2

pop3

TCP

110

Post Office Protocol - Version 3

pptp

TCP

1723

Point-to-Point Tunneling Protocol

radius

UDP

1645

Remote Authentication Dial-In User Service

radius-acct

UDP

1646

Remote Authentication Dial-In User Service (accounting)

rip

UDP

520

Routing Information Protocol

secureid-udp

UDP

5510

SecureID over UDP

smtp

TCP

25

Simple Mail Transport Protocol

snmp

UDP

161

Simple Network Management Protocol

snmptrap

UDP

162

Simple Network Management Protocol - Trap

sqlnet

TCP

1521

Structured Query Language Network

ssh

TCP

22

Secure Shell

sunrpc (rpc)

TCP, UDP

111

Sun Remote Procedure Call

syslog

UDP

514

System Log

tacacs

TCP, UDP

49

Terminal Access Controller Access Control System Plus

talk

TCP, UDP

517

Talk

telnet

TCP

23

RFC 854 Telnet

tftp

UDP

69

Trivial File Transfer Protocol

time

UDP

37

Time

uucp

TCP

540

UNIX-to-UNIX Copy Program

who

UDP

513

Who

whois

TCP

43

Who Is

www

TCP

80

World Wide Web

xdmcp

UDP

177

X Display Manager Control Protocol


Local Ports and Protocols

Table A-6 lists the protocols, TCP ports, and UDP ports that the ASA 1000V may open to process traffic destined to the ASA 1000V. Unless you enable the features and services listed in Table A-6, the ASA 1000V does not open any local protocols or any TCP or UDP ports. You must configure a feature or service for the ASA 1000V to open the default listening protocol or port. In many cases you can configure ports other than the default port when you enable a feature or service.

Table A-6 Protocols and Ports Opened by Features and Services 

Feature or Service
Protocol
Port Number
Comments

DHCP

UDP

67,68

Failover Control

105

N/A

HTTP

TCP

80

HTTPS

TCP

443

ICMP

1

N/A

IGMP

2

N/A

Protocol only open on destination IP address 224.0.0.1

ISAKMP/IKE

UDP

500

Configurable.

IPsec (ESP)

50

N/A

IPsec over UDP (NAT-T)

UDP

4500

IPsec over UDP

UDP

10000

Configurable.

IPsec over TCP (CTCP)

TCP

No default port is used. You must specify the port number when configuring IPsec over TCP.

NTP

UDP

123

SNMP

UDP

161

Configurable.

SSH

TCP

22

Stateful Update

8 (non-secure) 9 (secure)

N/A

Telnet

TCP

23

VPN Individual User Authentication Proxy

UDP

1645, 1646

Port accessible only over VPN tunnel.


ICMP Types

Table A-7 lists the ICMP type numbers and names that you can enter in ASA 1000V commands.

Table A-7 ICMP Types 

ICMP Number
ICMP Name

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

mask-request

18

mask-reply

31

conversion-error

32

mobile-redirect