Host Specific Port Mapping

In some environments, it might be necessary to override the default port-mapping information for a specific host or subnet. With host-specific port mapping, you can use the same port number for different services on different hosts. This means that you can map port 8080 with HTTP services for one host, while mapping port 8080 with Telnet services for another host.

Host-specific port mapping also enables you to apply PAM to a specific subnet when that subnet runs a service that uses a port number that differs from the port number defined in the default mapping information. For example, hosts on subnet 10.100.10.11 might run HTTP services on nonstandard port 8080, whereas other traffic through the firewall uses the default port for HTTP services, which is port 80.

Host-specific port mapping enables you to override a system-defined entry in the PAM table. If CBAC finds an entry in the PAM table that maps port 21 (the system-defined port for FTP) with SMTP for a specific host, for example, CBAC identifies port 21 as SMTP protocol traffic on that host.

To configure PAM, use the ip port-map command, as follows:

ip port-map appl name port port num [list acl num]

Use the list option to associate this port mapping to the specific hosts in the ACL. (PAM uses standard IP ACLs only.) If an ACL is included, the hosts defined in that ACL have the application appl_name running on port port_num . The following example shows an HTTP mapped to port 8080 by an ip port-map command:

ip port-map http port 8080

0 0

Post a comment