cc/td/doc/product/software/ios121/121cgcr/secur_c
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring Port to Application Mapping

Configuring Port to Application Mapping

This chapter describes the Cisco IOS Firewall Port to Application Mapping (PAM) feature. PAM enables CBAC-supported applications to be run on nonstandard ports. Using PAM, network administrators can customize access control for specific applications and services to meet the distinct needs of their networks.

For a complete description of the PAM commands in this chapter, refer to the "Port to Application Mapping Commands" chapter of the Cisco IOS Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

In This Chapter

This chapter has the following sections:

Port to Application Mapping Overview

Port to Application Mapping (PAM) is a feature of the Cisco IOS Firewall feature set. PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application.

Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on non-standard ports. Previously, CBAC was limited to inspecting traffic using only the well-known or registered ports associated with an application. Now, PAM allows network administrators to customize network access control for specific applications and services.

PAM also supports host or subnet specific port mapping, which allows you to apply PAM to a single host or subnet using standard access control lists (ACLs). Host or subnet specific port mapping is done using standard ACLs.

This section has the following sections:

How PAM Works

PAM generates a table of information that identifies specific applications with specific TCP or UDP port information. When the firewall router first starts up, the PAM table is populated with system-defined mapping information. As you customize the mapping information, the PAM table is modified with the new information. The information in the PAM table serves as the default port mapping for traffic passing through the firewall.

PAM works with CBAC to identify the applications associated with various port numbers, including services running on non-standard ports, as it inspect traffic passing through the firewall. Previously, CBAC was limited to inspecting traffic using only the well-known or registered ports associated with an application.

Entries in the PAM table provide three types of mapping information:

System-Defined Port Mapping

PAM creates a table, or database, of system-defined mapping entries using the well-known or registered port mapping information set up during the system start-up. The system-defined entries comprise all the services supported by CBAC, which requires the system-defined mapping information to function properly. The system-defined mapping information cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP).


Note   You can override the system-defined entries for specific hosts using the PAM host-specific option. Refer to the section "Host-Specific Port Mapping" in this chapter.

Table 22 lists the default system-defined services and applications in the PAM table.


Table 22: System-Defined Port Mapping
Application Name Well-Known or
Registered Port Number
Protocol Description

cuseeme

7648

CU-SeeMe Protocol

exec

512

Remote Process Execution

ftp

21

File Transfer Protocol (control port)

http

80

Hypertext Transfer Protocol

h323

1720

H.323 Protocol (for example, MS NetMeeting, Intel Video Phone)

login

513

Remote login

mgcp

2427

Media Gateway Control Protocol

msrpc

135

Microsoft Remote Procedure Call

netshow

1755

Microsoft NetShow

real-audio-video

7070

RealAudio and RealVideo

rtsp

8559

Real Time Streaming Protocol

shell

514

Remote command

sip

5060

Session Initiation Protocol

smtp

25

Simple Mail Transfer Protocol

sqlnet

1521

SQL-NET

streamworks

1558

StreamWorks Protocol

sunrpc

111

SUN Remote Procedure Call

telnet

23

Telnet

tftp

69

Trivial File Transfer Protocol

vdolive

7000

VDOLive Protocol

This section has the following sections:

User-Defined Port Mapping

Network services or applications that use non-standard ports require user-defined entries in the PAM table. For example, your network might run HTTP services on the non-standard port 8000 instead of on the system-defined default port (port 80). In this case, you can use PAM to map port 8000 with HTTP services. If HTTP services run on other ports, use PAM to create additional port mapping entries. After you define a port mapping, you can overwrite that entry at a later time by simply mapping that specific port with a different application.


Note   If you try to map an application to a system-defined port, a message appears that warns you of a mapping conflict.

User-defined port mapping information can also specify a range of ports for an application by establishing a separate entry in the PAM table for each port number in the range.

User-defined entries are saved with the default mapping information when you save the router configuration.

Host-Specific Port Mapping

User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet.

With host-specific port mapping, you can use the same port number for different services on different hosts. This means that you can map port 8000 with HTTP services for one host, while mapping port 8000 with Telnet services for another host.

Host-specific port mapping also allows you to apply PAM to a specific subnet when that subnet runs a service that uses a port number that is different from the port number defined in the default mapping information. For example, hosts on subnet 192.168.21.0 might run HTTP services on non-standard port 8000, while other traffic through the firewall uses the default port for HTTP services, which is port 80.

Host-specific port mapping allows you to override a system-defined entry in the PAM table. For example, if CBAC finds an entry in the PAM table that maps port 25 (the system-defined port for SMTP) with HTTP for a specific host, CBAC identifies port 25 as HTTP protocol traffic on that host.


Note   If the host-specific port mapping information is the same as an existing system-defined or user-defined default entries, host-specific port changes have no effect.

PAM and CBAC

CBAC uses the information in the PAM table to identify a service or application from traffic flowing through the firewall. With PAM, CBAC can associate non-standard port numbers with specific protocols. For example, if you use PAM to map port 8000 with HTTP services, CBAC can determine that traffic using port 8000 is an HTTP application.

When to Use PAM

Here are a few examples of when you might want to use PAM:

PAM Configuration Task List

See the following sections for PAM configuration tasks. Each task in the list indicates if it is optional or required:

Configuring Standard ACLs

If you require PAM for a specific host or subnet, use the access-list (standard) command in global configuration mode to define an ACL:

Command Purpose
Router(config)#access-list access-list-number 
permit source [source-wildcard] 

(Optional) Creates a standard ACL that defines the specific host or subnet for host-specific PAM.

For complete information on access-list command, refer to the Cisco IOS IP and IP Routing Command Reference.

Configuring PAM

To configure PAM, use the ip port-map command in global configuration mode:

Command Purpose
Router(config)#ip port-map appl_name port port_num 
[list acl_num] 

Establishes a port mapping entry using the TCP or UDP port number and the application name.

(Optional) Use the list option to associate this port mapping to the specific hosts in the ACL. (PAM uses standard access lists only.) If an access list is included, the hosts defined in that ACL have the application appl_name running on port port_num.

Verifying PAM

To verify the port mapping information, enter the show ip port-map command in privileged EXEC mode and review the entries:

router# show ip port-map
 

This command displays all entries in the PAM table, including the system-defined entries.

For PAM configuration examples using the commands in this chapter, refer to the "PAM Configuration Examples" section at the end of this chapter.

Monitoring and Maintaining PAM

This section describes commands used to monitor and maintain PAM.

Command Purpose
router # show ip port-map [appl_name | port 
port_num]

Displays the port mapping information, including the system-defined entries. Include the application name to display a list of entries by application. Include the port number to display the entries by port.

Router(config)# no ip port-map appl_name port 
port_num [list acl_num] 

Use the no form of the ip port-map command to delete user-defined port mapping information. This command has no effect on the system-defined port mapping information.

PAM Configuration Examples

The following sections provide PAM configuration examples:

Mapping an Application to a Non-Standard Port Example

In this example, non-standard port 8000 is established as the user-defined default port mapping for HTTP services:

ip port-map http port 8000

Mapping an Application with a Port Range Example

The following PAM entries establish a range of non-standard ports for HTTP services:

ip port-map http 8001
ip port-map http 8002
ip port-map http 8003
ip port-map http 8004

Invalid Port Mapping Entry Example

This example is not valid because it tries to establish port 21, which is the system-defined default port for FTP, as the user-defined port for HTTP services:

ip port-map http port 21

Mapping an Application to a Port for a Specific Host Example

In this example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services.

access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10

Mapping an Application to a Port for a Subnet Example

In this example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while port 8080 is mapped with HTTP services.

access-list 50 permit 192.168.92.0 0.0.0.255
ip port-map http 8080 list 50

Overriding a System-Defined Port Mapping Example

In this example, a specific host runs HTTP services on port 25, which is the system-defined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.33), while port 25 is mapped with HTTP services.

access-list 15 permit 192.168.33.33
ip port-map http port 25 list 15

Mapping Different Applications to the Same Port Example

In this example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services for host 192.168.3.4, while port 8000 is also required for FTP services for host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while the PAM entries map the ports with the services for each ACL.

access-list 10 permit 192.168.3.4
access-list 20 permit 192.168.5.6
ip port-map http port 8000 list 10
ip port-map http ftp 8000 list 20


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Aug 10 08:53:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.