With PAM, you can define the nonstandard ports that are used by your applications so that CBAC can inspect those applications. Not every application can be mapped to a different port with PAM. In actuality, only a few applications can benefit from PAM, such as FTP, HTTP, RTSP, Session Initiation Protocol (SIP), SMTP, Telnet, and TFTP, to name a few. Configuring Port MappingsThe syntax to define a nonstandard application port is Router(config)# ip port-map appl_name port port_num Commonly, some departments use standard ports, but other departments use nonstandard ports. Instead of globally enabling nonstandard ports throughout your organization, you can use an ACL to select exactly which devices use nonstandard ports. The syntax to do so is Router(config)# ip port-map appl_name port port_num list acl_num One of the applications supported by PAM is SIP. If your organization uses SIP on port 5600 instead of the standard SIP port number of 5060, use PAM to allow CBAC to inspect SIP on port 5600: Router(config)# ip port-map sip port 5600 If the R&D department uses HTTP on port 9000 for its Web servers at 1.1.1.1 and 1.1.1.2, you can use the commands shown in Figure 4.11 to allow CBAC to inspect HTTP on port 9000. Figure 4.11. Port mapping with an ACL.
Verifying Port MappingsTo view all port mappings, use the command shown in Figure 4.12. Figure 4.12. show ip port-map command.
To view port mappings for a specific application, use the following command: Router# show ip port-map appl_name To view applications that are mapped to a specific port, use the following command: Router# show ip port-map port_num |