PAM establishes a table of default port-to-application mapping information at the firewall.
How PAM Works
PAM generates a table of information that identifies specific applications with specific TCP or UDP port information. When the firewall router first starts up, the PAM table is populated with system-defined mapping information. As you customize the mapping information, the PAM table is modified with the new information. The information in the PAM table serves as the default port mapping for traffic passing through the firewall.
The port mapping information in the PAM table is one of three types:
· System defined
· User defined
System-Defined Port
Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system startup. The Cisco IOS Firewall CBAC feature requires the system-defined mapping information to function properly. The system-defined mapping information can’t be deleted or changed. It isn’t possible to assign an application to an existing system-defined mapping, such as attempting to map HTTP services to port 25 (SMTP). The following table shows the well-known or registered port mapping information.
| Application Name | Registered Port Number | Protocol Description |
| Cuseeme | 7648 | CU-SeeMe Protocol |
| Exec | 512 | Remote process execution |
| ftp | 21 | File Transfer Protocol (control port) |
| http | 80 | Hypertext Transfer Protocol |
| h323 | 1720 | H.323 Protocol (such as MS NetMeeting and Intel Video Phone) |
| login | 513 | Remote login |
| msrpc | 135 | Microsoft Remote Procedure Call |
| netshow | 1755 | Microsoft NetShow |
| real-audio-video | 7070 | RealAudio and RealVideo |
| smtp | 25 | Simple Mail Transfer Protocol |
| sql-net | 1521 | SQL-NET |
| streamworks | 1558 | StreamWorks Protocol |
| sunrpc | 111 | SUN Remote Procedure Call |
| tftp | 69 | Trivial File Transfer Protocol |
| vdolive | 7000 | VDOLive Protocol |
User-Defined Port
Network applications that use nonstandard ports require user-defined entries in the mapping table. Use the Global Configuration Mode command ip port-map to create user-defined entries ports to application mapping. Use the no form of the command to delete user-defined PAM entries. The command can’t be used to change system-defined port mappings.
The syntax is
Rtr1(config)#ip port-map appl-name port port-num [list acl#]
Rtr1(config)#no ip port-map appl-name port port-num [list acl#]
| appl-name | The name of the application with which to apply the port mapping |
| port | Indicates a port number maps to the application |
| port-num | Port number (1 to 65535) |
| list | The port mapping information applies to a specific host or subnet |
| acl# | Standard ACL number used to identify the host(s) or subnet(s) |
This command was introduced in IOS 12.0(5)T. No default values.
This example shows PAM entries that define a range of nonstandard ports for HTTP services.
Rtr1(config)#ip port-map http port 8000
Rtr1(config)#ip port-map http port 8001
Rtr1(config)#ip port-map http port 8002
Host-Specific Port
User-defined entries in the mapping table can include host-specific mapping, which establishes port mapping information for specific hosts or subnets. In some situations, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.
In this example, a specific host uses port 8000 for FTP services. ACL 1 identifies the server address (192.168.0.100), while port 8000 is mapped with FTP services:
Rtr1(config)#access-list 1 permit 192.168.0.100
Rtr1(config)#ip port-map ftp port 8000 list 1
In the next example, the same port number is required by different services running on different hosts. Port 8000 is required for FTP services by host 192.168.0.100, while port 8000 is required for HTTP services by host 192.168.0.175. ACL 10 and ACL 2 identify the specific hosts, while PAM maps the ports with the services for each ACL.
Rtr1(config)#access-list 1 permit 192.168.0.100
Rtr1(config)#access-list 2 permit 192.168.0.175
Rtr1(config)#ip port-map ftp port 8000 list 1
Rtr1(config)#ip port-map http port 8000 list 2
Verify Port to Application Mapping
Use the Privileged EXEC Mode command show ip port-map to display the Port to Application Mapping (PAM) information. This command displays the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display only the entries for that application. Include the port number to display only the entries for that port.
The syntax is
Rtr1#show ip port-map [appl-name | port port-num]
This command was introduced in IOS 12.0(5)T.
The following example shows the port mapping information for FTP services:
Rtr1#show ip port-map ftp
Default mapping: ftp port 21 system defined
Host specific: ftp port 1250 in list 1 user definedFor more information Check the below linkshttp://www.wr-mem.com/?p=86http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c8.html
No comments:
Post a Comment