Network services or applications that use nonstandard ports require
user-defined entries in the PAM table. For example, the network might run HTTP
services on the nonstandard port 8000 instead of on the system-defined default
port 80. In this case, PAM can be used to map port 8000 with HTTP services. If
HTTP services run on other ports, use PAM to create additional port mapping
entries. After a port mapping entry is defined, the entry can be overwritten at
a later time by simply mapping that specific port with a different
application.
 |
NOTE:
If an attempt is made to map an application to a system-defined port,
a message appears warning the administrator of a mapping conflict.
|
User-defined port mapping information can also specify a range of
ports for an application by establishing a separate entry in the PAM table for
each port number in the range.
User-defined entries are saved with the
default mapping information when the router configuration is saved.
Use
the ip port-map configuration command to establish PAM. Use
the no form of this command to delete user-defined PAM
entries. The syntax for the ip port-map command is as shown
in Figure
.
User-defined entries in the mapping table can include host- or
network-specific mapping information, which establishes port mapping
information for specific hosts or subnets. In some environments, it might be
necessary to override the default port mapping information for a specific host
or subnet.
With host-specific port mapping, the same port number can be
used for different services on different hosts. This means that port 8000 can
be mapped to HTTP services for one host, while port 8000 can be mapped to
Telnet services for another host.
Host-specific port mapping also enables administrators to apply PAM to a
specific subnet when that subnet runs a service that uses a port number that is
different from the port number defined in the default mapping information. For
example, hosts on subnet 192.168.0.0 might run HTTP services on nonstandard
port 8000, while other traffic through the firewall uses the default port 80
for HTTP services.
Host- or network-specific port mapping enables
administrators to override a system-defined entry in the PAM table. For
example, if CBAC finds an entry in the PAM table that maps port 25, the
system-defined port for SMTP, with HTTP for a specific host, CBAC identifies
port 25 as HTTP protocol traffic on that host.
 |
NOTE:
If the host-specific port mapping information is the same as existing
system- or user-defined default entries, host-specific port changes have no
effect.
|
Use the list option for the ip
port-map command to specify an ACL for a host or subnet that uses
PAM. Use the show ip port-map privileged EXEC command to
display the PAM information. The syntax for the show ip
port-map command is shown in Figure
.