Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Define Port-to-Application Mapping (PAM)

Define Port-to-Application Mapping (PAM)

Sep 10,2009 by alperen

small font medium font large font
image

Define Port-to-Application Mapping (PAM)

Flexible, per-application port mapping allows CBAC-supported applications to be run on nonstandard TCP and UDP ports. PAM allows network administrators to customize access control for specific applications and services to meet the distinct needs of their networks.

The ip port-map command associates TCP or UDP port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application. PAM also supports port mapping for specific host(s) or subnet(s) by using standard ACLs.

The port mapping information in the PAM table is one of three types:

  • System defined

  • User defined

  • Host specific

System-Defined Port Mapping

Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system startup. The Cisco IOS Firewall CBAC feature requires the system-defined mapping information to function properly. The system-defined mapping information can’t be deleted or changed. It isn’t possible to assign an application to an existing system-defined mapping, such as attempting to map HTTP services to port 25 (SMTP). The following table shows the well-known or registered port mapping information.

Application Name

Registered Port Number

Protocol Description

Cuseeme

7648

CU-SeeMe Protocol

Exec

512

Remote process execution

ftp

21

File Transfer Protocol (control port)

http

80

Hypertext Transfer Protocol

h323

1720

H.323 Protocol (such as MS NetMeeting and Intel Video Phone)

login

513

Remote login

msrpc

135

Microsoft Remote Procedure Call

netshow

1755

Microsoft NetShow

real-audio-video

7070

RealAudio and RealVideo

smtp

25

Simple Mail Transfer Protocol

sql-net

1521

SQL-NET

streamworks

1558

StreamWorks Protocol

sunrpc

111

SUN Remote Procedure Call

tftp

69

Trivial File Transfer Protocol

vdolive

7000

VDOLive Protocol

User-Defined Port Mapping

Network applications that use nonstandard ports require user-defined entries in the mapping table. Use the Global Configuration Mode command ip port-map to create user-defined entries ports to application mapping. Use the no form of the command to delete user-defined PAM entries. The command can’t be used to change system-defined port mappings. The syntax is

Rtr1(config)#ip port-map appl-name port port-num [list acl#]
Rtr1(config)#no ip port-map appl-name port port-num [list acl#]

appl-name

The name of the application with which to apply the port mapping

port

Indicates a port number maps to the application

port-num

Port number (1 to 65535)

list

The port mapping information applies to a specific host or subnet

acl#

Standard ACL number used to identify the host(s) or subnet(s)

This command was introduced in IOS 12.0(5)T. No default values.

This example shows PAM entries that define a range of nonstandard ports for HTTP services.

Rtr1(config)#ip port-map http port 8000
Rtr1(config)#ip port-map http port 8001
Rtr1(config)#ip port-map http port 8002
Host-Specific Port Mapping

User-defined entries in the mapping table can include host-specific mapping, which establishes port mapping information for specific hosts or subnets. In some situations, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.

In this example, a specific host uses port 8000 for FTP services. ACL 1 identifies the server address (192.168.0.100), while port 8000 is mapped with FTP services:

Rtr1(config)#access-list 1 permit 192.168.0.100
Rtr1(config)#ip port-map ftp port 8000 list 1

In the next example, the same port number is required by different services running on different hosts. Port 8000 is required for FTP services by host 192.168.0.100, while port 8000 is required for HTTP services by host 192.168.0.175. ACL 10 and ACL 2 identify the specific hosts, while PAM maps the ports with the services for each ACL.

Rtr1(config)#access-list 1 permit 192.168.0.100
Rtr1(config)#access-list 2 permit 192.168.0.175
Rtr1(config)#ip port-map ftp port 8000 list 1
Rtr1(config)#ip port-map http port 8000 list 2

This example shows a failed attempt to assign the RealAudio application to port 21, which is normally reserved for FTP services. Following that is the correct method to define the host using ACL 1. With this configuration, host(s) in List 1 won’t recognize FTP activity on port 21.

Rtr1(config)#ip port-map realaudio port 21
Rtr1(config)#Command fail: the port 21 has already been defined for
         ftp by the system.
         No change can be made to the system defined port mappings.
Rtr1(config)#access-list 1 permit 192.168.0.100
Rtr1(config)#ip port-map realaudio port 21 list 1
Verify Port to Application Mapping

Use the Privileged EXEC Mode command show ip port-map to display the Port to Application Mapping (PAM) information. This command displays the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display only the entries for that application. Include the port number to display only the entries for that port. The syntax is

Rtr1#show ip port-map [appl-name | port port-num]

This command was introduced in IOS 12.0(5)T.

The following example shows the port mapping information for FTP services:

Rtr1#show ip port-map ftp 
Default mapping: ftp              port 21                  system defined
Host specific:   ftp              port 1250   in list 1    user defined

1247 times read

Related news
» Inspecting Applications on Different Port Numbers
by admin posted on Jul 21,2008
» IOS Firewall Feature Set—CBAC Review
by alperen posted on Sep 11,2009
» The fixup protocol Command
by alperen posted on Feb 06,2010
» Define AAA Group Server (Optional)
by alperen posted on Sep 17,2009
» IP Helper Address
by alperen posted on Nov 27,2008
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 33 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.