Port to Application Mapping (PAM)
- PAM enables CBAC supported apps to be run on non-standard ports.
- PAM supports host or subnet specific port mapping which allows you to apply PAM to a single host or subnet using standard ACL there by overriding the default port mappings.
- Three types of mapping:
- System-Defined port mapping
- It is a table/database of system-defined mapping entries using the well-known port-mapping information. This is set up during the system start-up and it cannot be deleted or modified. But it can be overridden using Host-Specific Port Mapping.
- User-Defined port mapping
- Network services or applications that use non-standard ports required user-defined entries in the PAM table.
- You can also specify a range of ports for an application by establishing a separate entry in the PAM table for each port number in the range.
- Host-Specific Port Mapping
- It establishes port mapping information for specific hosts or subnets.
- Same port number can be used for different services on different hosts.
- Examples;
- Map port 8000 with HTTP for one host, while mapping port 8000 with Telnet for another host.
- Hosts in subnet 192.168.21.0 might run HTTP services on non-standard port 8000, while other traffic through the firewall uses the default port for HTTP.
- System-Defined port mapping
Cisco Doc Link:
Configuration:
User-Defined port-map or Host-Specific port-map;
! User-Defined ip port-map http port tcp 8080 ! ! OR ! ! Host-Specific ! access-list 99 permit 10.0.0.0 0.0.0.255 ip port-map http port tcp 8080 list 99 ! ! Create Inspect and Interface ACL rules ! ip inspect name in_in2 http ! ip access-list extended in_acl permit tcp 10.0.0.0 0.0.0.255 host 10.1.1.10 eq 8080 ! ! Apply them to the interface ! interface fa0/0 ip inspect in_inspect_rule ip access-group in_acl
Verification:
R1#sh ip inspect interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is in_inspect_rule
http alert is on audit-trail is off timeout 3600
Outgoing inspection rule is not set
Inbound access list is in_acl
Outgoing access list is not set
R1#show ip inspect sessions
Established Sessions
Session 68864C20 (10.0.0.10:1038)=>(10.1.1.10:8080) http SIS_OPEN