Cisco IOS Security Command Reference, Release 12.2
Port to Application Mapping Commands
Download this chapter
Port to Application Mapping CommandsPort to Application Mapping Commands
Download the complete book
Book-level PDF: Cisco IOS Security Command Reference, Release 12.2Book-level PDF: Cisco IOS Security Command Reference, Release 12.2 (PDF - 4 MB)
 Feedback

Table Of Contents

Port to Application Mapping Commands

ip port-map

show ip port-map


Port to Application Mapping Commands

This chapter describes the commands used to configure Port to Application Mapping (PAM). PAM allows you to customize TCP or User Datagram Protocol (UDP) port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application.

For information on how to configure PAM, refer to the "Configuring Port to Application Mapping" chapter in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "PAM Configuration Examples" section located at the end of the "Configuring Port to Application Mapping" chapter in the Cisco IOS Security Configuration Guide.

ip port-map

To establish Port to Application Mapping (PAM), use the ip port-map global configuration command. To delete user-defined PAM entries, use the no form of this command.

ip port-map appl_name port port_num [list acl_num]

no ip port-map appl_name port port_num [list acl_num]

Syntax Description

appl_name

Specifies the name of the application with which to apply the port mapping.

port

Indicates that a port number maps to the application.

port_num

Identifies a port number in the range 1 to 65535.

list

(Optional) Indicates that the port mapping information applies to a specific host or subnet.

acl_num

(Optional) Identifies the standard access control list (ACL) number used with PAM.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

The ip port-map command associates TCP or User Datagram Protocol port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application.

The port mapping information in the PAM table is of one of three types:

System-defined

User-defined

Host-specific

System-Defined Port Mapping

Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system start-up. The Cisco IOS Firewall Context-based Access Control feature requires the system-defined mapping information to function properly. System-defined mapping information cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP).

Table 22 lists the default system-defined services and applications in the PAM table.

Table 22 System-Defined Port Mapping

Application Name
Well-Known or Registered Port Number
Protocol Description

cuseeme

7648

CU-SeeMe Protocol

exec

512

Remote Process Execution

ftp

21

File Transfer Protocol (control port)

http

80

Hypertext Transfer Protocol

h323

1720

H.323 Protocol (for example, MS NetMeeting, Intel Video Phone)

login

513

Remote login

msrpc

135

Microsoft Remote Procedure Call

netshow

1755

Microsoft NetShow

real-audio-video

7070

RealAudio and RealVideo

smtp

25

Simple Mail Transfer Protocol

sql-net

1521

SQL-NET

streamworks

1558

StreamWorks Protocol

sunrpc

111

SUN Remote Procedure Call

tftp

69

Trivial File Transfer Protocol

vdolive

7000

VDOLive Protocol


Note You can override the system-defined entries for a specific host or subnet using the list option in the ip port-map command.

User-Defined Port Mapping

Network applications that use non-standard ports require user-defined entries in the mapping table. Use the ip port-map command to create default user-defined entries in the PAM table.

To map a range of port numbers with a service or application, you must create a separate entry for each port number.

Note If you try to map an application to a system-defined port, a message appears warning you of a mapping conflict.

Use the no form of the ip port-map command to delete user-defined entries from the PAM table.

To overwrite an existing user-defined port mapping, use the ip port-map command to associate another service or application with the specific port.

Host-Specific Port Mapping

User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.

Note If the host-specific port mapping information is the same as existing system-defined or user-defined default entries, host-specific port changes have no effect.

Examples

The following example provides examples for adding and removing user-defined PAM configuration entries at the firewall.

In the following example, non-standard port 8000 is established as the user-defined default port for HTTP services: 

ip port-map http port 8000

The following example shows PAM entries establish a range of non-standard ports for HTTP services: 

ip port-map http 8001

ip port-map http 8002

ip port-map http 8003

ip port-map http 8004

In the following example the command fails because it tries to map port 21, which is the system-defined default port for FTP, with HTTP: 

ip port-map http port 21

In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services: 

access-list 10 permit 192.168.32.43

ip port-map ftp port 8000 list 10

In the following example, port 21, which is normally reserved for FTP services, is mapped to the RealAudio application for the hosts in list 10. In this configuration, hosts in list 10 do not recognize FTP activity on port 21. 

ip port-map realaudio port 21 list 10

In the following example, the ip port-map command fails and generates an error message: 

ip port-map netshow port 21

Command fail: the port 21 has already been defined for ftp by the system.

              No change can be made to the system defined port mappings.

The no form of this command deletes user-defined entries from the PAM table. It has no effect on the system-defined port mappings. This command deletes the host-specific port mapping of FTP. 

no ip port-map ftp port 1022 list 10

In the following example, the command fails because it tries to delete the system-defined default port for HTTP: 

no ip port-map http port 80

In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services. 

access-list 10 permit 192.168.32.43

ip port-map ftp port 8000 list 10

In the following example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while the PAM entry maps port 8080 with HTTP services. 

access-list 50 permit 192.168.92.0

ip port-map http 8080 list 50

In the following example, a specific host runs HTTP services on port 25, which is the system-defined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.43), while port 25 is mapped with HTTP services. 

access-list 15 permit 192.168.33.43

ip port-map http port 25 list 15

In the following example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services by host 192.168.3.4, while port 8000 is required for Telnet services by host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while PAM maps the ports with the services for each ACL. 

access-list 10 permit 192.168.3.4

access-list 20 permit 192.168.5.6

ip port-map http port 8000 list 10

ip port-map http ftp 8000 list 20

Related Commands

Command
Description

show ip port-map

Displays the PAM information.


show ip port-map

To display the Port to Application Mapping (PAM) information, use the show ip port-map privileged EXEC command.

show ip port-map [appl_name | port port_num]

Syntax Description

appl_name

(Optional) Specifies the name of the application to which to apply the port mapping.

port port_num

(Optional) Specifies the alternative port number that maps to the application.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

Use this command to display the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display the list of entries by application. Include the port number to display the entries by port.

Examples

The following is sample output for the show ip port-map command, including system-defined mapping information: 

Router# show ip port-map


Default mapping: vdolive          port 7000                system defined

Default mapping: sunrpc           port 111                 system defined

Default mapping: netshow          port 1755                system defined

Default mapping: cuseeme          port 7648                system defined

Default mapping: tftp             port 69                  system defined

Default mapping: real-audio-video port 7070                system defined

Default mapping: streamworks      port 1558                system defined

Default mapping: ftp              port 21                  system defined

Default mapping: h323             port 1720                system defined

Default mapping: smtp             port 25                  system defined

Default mapping: http             port 80                  system defined

Default mapping: msrpc            port 135                 system defined

Default mapping: exec             port 512                 system defined

Default mapping: login            port 513                 system defined

Default mapping: sql-net          port 1521                system defined

Default mapping: tftp             port 70                  user defined

Host specific:   ftp              port 1000   in list 10   user defined

Host specific:   netshow          port 70     in list 10   user defined

Host specific:   smtp             port 70     in list 50   user defined

The following example shows the port mapping information for file transfer protocol services: 

show ip port-map ftp

Default mapping: ftp              port 21                  system defined

Host specific:   ftp              port 1000   in list 10   user defined

The following example shows the ports associated with the NetShow application, including both the default and host-specific port mapping information: 

show ip port-map netshow

Default mapping: netshow          port 1755                system defined

Host specific:   netshow          port 21     in list 10   user defined

The following example shows the applications associated with port 69, including both the default and host-specific port mapping information: 

show ip port-map port 69

Default mapping: tftp             port 69                  user defined

Host specific:   netshow          port 69     in list 50   user defined

Host specific:   smtp             port 69     in list 10   user defined

Related Commands

Command
Description

ip port-map

Establishes PAM.