Port to Application mapping (PAM) | (CCIE Notes)


Port to Application Mapping (PAM)

  • PAM enables CBAC supported apps to be run on non-standard ports.
  • PAM supports host or subnet specific port mapping which allows you to apply PAM to a single host or subnet using standard ACL there by overriding the default port mappings.
  • Three types of mapping:
    • System-Defined port mapping
      • It is a table/database of system-defined mapping entries using the well-known port-mapping information. This is set up during the system start-up and it cannot be deleted or modified. But it can be overridden using Host-Specific Port Mapping.
    • User-Defined port mapping
      • Network services or applications that use non-standard ports required user-defined entries in the PAM table.
      • You can also specify a range of ports for an application by establishing a separate entry in the PAM table for each port number in the range.
    • Host-Specific Port Mapping
      • It establishes port mapping information for specific hosts or subnets.
      • Same port number can be used for different services on different hosts.
      • Examples;
      • Map port 8000 with HTTP for one host, while mapping port 8000 with Telnet for another host.
      • Hosts in subnet 192.168.21.0 might run HTTP services on non-standard port 8000, while other traffic through the firewall uses the default port for HTTP.

Cisco Doc Link:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/15-mt/config-cbac-port-map.html

Configuration:

User-Defined port-map or Host-Specific port-map;

! User-Defined
ip port-map http port tcp 8080
!
! OR
!
! Host-Specific
!
access-list 99 permit 10.0.0.0 0.0.0.255
ip port-map http port tcp 8080 list 99
!
! Create Inspect and Interface ACL rules
!
ip inspect name in_in2 http
!
ip access-list extended in_acl
 permit tcp 10.0.0.0 0.0.0.255 host 10.1.1.10 eq 8080
!
! Apply them to the interface
!
interface fa0/0
 ip inspect in_inspect_rule
 ip access-group in_acl

Verification:

R1#sh ip inspect interfaces
Interface Configuration
 Interface FastEthernet0/0
 Inbound inspection rule is in_inspect_rule
 http alert is on audit-trail is off timeout 3600
 Outgoing inspection rule is not set
 Inbound access list is in_acl
 Outgoing access list is not set

R1#show ip inspect sessions
Established Sessions
 Session 68864C20 (10.0.0.10:1038)=>(10.1.1.10:8080) http SIS_OPEN

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s