Port to Application mapping (PAM) | (CCIE Notes)

Port to Application Mapping (PAM)

  • PAM enables CBAC supported apps to be run on non-standard ports.
  • PAM supports host or subnet specific port mapping which allows you to apply PAM to a single host or subnet using standard ACL there by overriding the default port mappings.
  • Three types of mapping:
    • System-Defined port mapping
      • It is a table/database of system-defined mapping entries using the well-known port-mapping information. This is set up during the system start-up and it cannot be deleted or modified. But it can be overridden using Host-Specific Port Mapping.
    • User-Defined port mapping
      • Network services or applications that use non-standard ports required user-defined entries in the PAM table.
      • You can also specify a range of ports for an application by establishing a separate entry in the PAM table for each port number in the range.
    • Host-Specific Port Mapping
      • It establishes port mapping information for specific hosts or subnets.
      • Same port number can be used for different services on different hosts.
      • Examples;
      • Map port 8000 with HTTP for one host, while mapping port 8000 with Telnet for another host.
      • Hosts in subnet might run HTTP services on non-standard port 8000, while other traffic through the firewall uses the default port for HTTP.

Cisco Doc Link:



User-Defined port-map or Host-Specific port-map;

! User-Defined
ip port-map http port tcp 8080
! OR
! Host-Specific
access-list 99 permit
ip port-map http port tcp 8080 list 99
! Create Inspect and Interface ACL rules
ip inspect name in_in2 http
ip access-list extended in_acl
 permit tcp host eq 8080
! Apply them to the interface
interface fa0/0
 ip inspect in_inspect_rule
 ip access-group in_acl


R1#sh ip inspect interfaces
Interface Configuration
 Interface FastEthernet0/0
 Inbound inspection rule is in_inspect_rule
 http alert is on audit-trail is off timeout 3600
 Outgoing inspection rule is not set
 Inbound access list is in_acl
 Outgoing access list is not set

R1#show ip inspect sessions
Established Sessions
 Session 68864C20 (>( http SIS_OPEN

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s