Configure Cisco IOS Firewall Context-Based Access Control
User-defined port-to-application mapping

Network services or applications that use nonstandard ports require user-defined entries in the PAM table. For example, the network might run HTTP services on the nonstandard port 8000 instead of on the system-defined default port 80. In this case, PAM can be used to map port 8000 with HTTP services. If HTTP services run on other ports, use PAM to create additional port mapping entries. After a port mapping entry is defined, the entry can be overwritten at a later time by simply mapping that specific port with a different application.

NOTE:

If an attempt is made to map an application to a system-defined port, a message appears warning the administrator of a mapping conflict.

User-defined port mapping information can also specify a range of ports for an application by establishing a separate entry in the PAM table for each port number in the range.

User-defined entries are saved with the default mapping information when the router configuration is saved.

Use the ip port-map configuration command to establish PAM. Use the no form of this command to delete user-defined PAM entries. The syntax for the ip port-map command is as shown in Figure .

User-defined entries in the mapping table can include host- or network-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet.

With host-specific port mapping, the same port number can be used for different services on different hosts. This means that port 8000 can be mapped to HTTP services for one host, while port 8000 can be mapped to Telnet services for another host.

Host-specific port mapping also enables administrators to apply PAM to a specific subnet when that subnet runs a service that uses a port number that is different from the port number defined in the default mapping information. For example, hosts on subnet 192.168.0.0 might run HTTP services on nonstandard port 8000, while other traffic through the firewall uses the default port 80 for HTTP services.

Host- or network-specific port mapping enables administrators to override a system-defined entry in the PAM table. For example, if CBAC finds an entry in the PAM table that maps port 25, the system-defined port for SMTP, with HTTP for a specific host, CBAC identifies port 25 as HTTP protocol traffic on that host.

NOTE:

If the host-specific port mapping information is the same as existing system- or user-defined default entries, host-specific port changes have no effect.

Use the list option for the ip port-map command to specify an ACL for a host or subnet that uses PAM. Use the show ip port-map privileged EXEC command to display the PAM information. The syntax for the show ip port-map command is shown in Figure .


Lab Activity

e-Lab Activity: Port-to-Application Mapping

In this activity, students will apply host-specific port mapping.