PAM

With PAM, you can define the nonstandard ports that are used by your applications so that CBAC can inspect those applications. Not every application can be mapped to a different port with PAM. In actuality, only a few applications can benefit from PAM, such as FTP, HTTP, RTSP, Session Initiation Protocol (SIP), SMTP, Telnet, and TFTP, to name a few.

Configuring Port Mappings

The syntax to define a nonstandard application port is

 Router(config)# ip port-map  appl_name  port  port_num  

Commonly, some departments use standard ports, but other departments use nonstandard ports. Instead of globally enabling nonstandard ports throughout your organization, you can use an ACL to select exactly which devices use nonstandard ports. The syntax to do so is

 Router(config)# ip port-map  appl_name  port  port_num  list  acl_num  

One of the applications supported by PAM is SIP. If your organization uses SIP on port 5600 instead of the standard SIP port number of 5060, use PAM to allow CBAC to inspect SIP on port 5600:

 Router(config)# ip port-map sip port 5600 

If the R&D department uses HTTP on port 9000 for its Web servers at 1.1.1.1 and 1.1.1.2, you can use the commands shown in Figure 4.11 to allow CBAC to inspect HTTP on port 9000.

You cannot change or delete IOS-defined port mappings. For instance, you cannot map RTSP from port 554 to port 23 because PAM defines Telnet on port 23. The opposite is also true. You cannot map Telnet from port 23 to port 554 because PAM defines RTSP on port 554.

Verifying Port Mappings

To view all port mappings, use the command shown in Figure 4.12.

To view port mappings for a specific application, use the following command:

 Router# show ip port-map  appl_name  

To view applications that are mapped to a specific port, use the following command:

 Router# show ip port-map  port_num