Default PAM table of Router 3

20 Mar

Listing 4.11: Default PAM table of Router 3.

Router−3#show ip port−map

Default mapping: vdolive port 7000 system defined
Default mapping: sunrpc port 111 system defined
Default mapping: netshow port 1755 system defined
Default mapping: cuseeme port 7648 system defined
Default mapping: tftp port 69 system defined
Default mapping: rtsp port 8554 system defined
Default mapping: realmedia port 7070 system defined
Default mapping: streamworks port 1558 system defined
Default mapping: ftp port 21 system defined
Default mapping: telnet port 23 system defined
Default mapping: rtsp port 554 system defined
Default mapping: h323 port 1720 system defined
Default mapping: sip port 5060 system defined
Default mapping: smtp port 25 system defined
Default mapping: http port 80 system defined
Default mapping: msrpc port 135 system defined
Default mapping: exec port 512 system defined
Default mapping: login port 513 system defined
Default mapping: sql−net port 1521 system defined
Default mapping: shell port 514 system defined
Default mapping: mgcp port 2427 system defined
Router−3#

System−defined table entries are important to the port application process, and as mentioned earlier, any attempt to map a user−defined entry over a system−defined entry is not permitted. Attempting to configure HTTP to run on the system−defined port of 21, which maps to FTP, is not allowed. An example of this type of attempt is shown in Listing 4.12.

Listing 4.12: Attempt to map over a system−defined entry.

Router−3#config t
Router−3(config)#ip port−map http port 21
Command fail: the port 21 has already been defined for ftp by −
the system.
No change can be made to the system defined port − mappings.
Router−3(config)#end
Router−3#

Host−defined entries are actually user−defined entries that have a finer granularity of configuration on a per−host or per−subnet basis. In Figure 4.7, three hosts on the internal inside network need FTP access to a host on the external outside network of Router 3. The host on the external outside network of Router 3 only uses FTP on port 7142. To configure Router 3 to map the host−defined entries for FTP on Router 3, you must configure an access list to specify which hosts need the mapping created. Listing 4.13 shows the configuration needed to accomplish this.

Figure 4.7: Host that needs PAM configuration.
Listing 4.13: Creating host−defined entries on Router 3.

Router−3#config t
Router−3(config)#access−list 1 permit 192.168.10.240
Router−3(config)#access−list 1 permit 192.168.11.16
Router−3(config)#access−list 1 permit 192.168.11.112
Router−3(config)#ip port−map ftp port 7142 list 1
Router−3(config)#end

If you examine the output of the show ip port−map command, you can see that Router 3 has created the host−defined entry and bound it to access list 1. Listing 4.14 shows the output from the show ip portmap command with the newly created host−defined entries in the PAM table.

Listing 4.14: Display of the host−defined PAM table entries.

Router−3#show ip port−map

Default mapping: http port 80 system
Host specific: ftp port 7142 in list 1 user
Default mapping: ftp port 21 system
Default mapping: msrpc port 135 system
Default mapping: exec port 512 system
Default mapping: login port 513 system
Default mapping: sql−net port 1521 system
Default mapping: shell port 514 system
Default mapping: mgcp port 2427 system
Router−3#

Just as host−specific entries can populate the PAM table (which was demonstrated in the configuration above), so can subnets. The three hosts on the internal network in the configuration in Listing 4.13 all need FTP access to a host on the external network using port 7142; however, all hosts on each of the 192.168.10.0 and 192.168.11.0 subnets need to access a RealVideo server on the outside network using port number 5050 as opposed to the default 7070. To configure subnetdefined entries, I will create a new access list and bind it to the ip port−map command. Listing 4.15 shows the configuration.

Listing 4.15: Subnet−defined PAM configuration.

Router−3#config t

Router−3(config)#access−list 2 permit 192.168.10.0
Router−3(config)#access−list 2 permit 192.168.11.0
Router−3(config)#ip port−map realmedia port 5050 list 2
Router−3(config)#end
Router−3#

Pay particular attention to the last octet of the IP addresses configured in Listing 4.15; this octet allows the router to determine whether the access list is a host−specific entry or a subnet−specific entry. Notice that the number 0 is specified and not a number between 1 and 254 for the class C subnet. Issuing the show ip port−map command again displays the PAM table for Router 3. Listing 4.16 shows the output of the PAM table.

Listing 4.16: Output of the PAM table on Router 3.

Router−3#sh ip port−map
Default mapping: netshow port 1755 system
Host specific: realmedia port 5050 in list 2 userDefault −
mapping: realmedia port 7070 system
Default mapping: ftp port 21 system
Host specific: ftp port 7142 in list 1 user
Default mapping: mgcp port 2427 system
Router−3#

Listing 4.12 showed that a system−defined entry could not be overwritten; however, a host−specific entry or a subnet−specific entry can change the default system entry on a per−host or per−subnet basis for any or all system entries. Referring again to Listing 4.13, Router 3 was configured to create a port table mapping for each of the three hosts listed so that the hosts could access an FTP server on the outside network using port 7142. The three hosts now have a requirement to access a Web server on the outside network, and they need to access the Web server using the port that is normally used by FTP, port 21. So Router 3 needs to create a PAM table entry such that HTTP traffic maps to port 21, FTP’s standard port. To configure Router 3 to meet the new requirements of the three hosts and override the system−defined entries, use the configuration shown in Listing 4.17.

Listing 4.17: Router 3 configured to override system−defined entries.

Router−3#config t
Router−3(config)#access−list 1 permit 192.168.10.240
Router−3(config)#access−list 1 permit 192.168.11.16
Router−3(config)#access−list 1 permit 192.168.11.112
Router−3(config)#ip port−map http port 21 list 1
Router−3(config)#end

First, notice that the router did not prompt with any error message as a result of the configuration change. If you examine the output of the show ip port−map command, you can see that HTTP is indeed a userdefined map that is mapped to port 21. Listing 4.18 displays the output.

Listing 4.18: Display of PAM table on Router 3.

Router−3#sh ip port−map

Default mapping: vdolive port 7000 system
Host specific: realmedia port 5050 in list 2 user
Default mapping: realmedia port 7070 system

Default mapping: ftp port 21 system
Host specific: http port 21 in list 1 user
Default mapping: http port 80 system
Default mapping: exec port 512 system
Default mapping: login port 513 system
Default mapping: sql−net port 1521 system
Default mapping: shell port 514 system
Host specific: ftp port 7142 in list 1 user
Default mapping: mgcp port 2427 system
Router−3#

Finally, two new inside hosts need to access two different outside hosts using different services; however, both hosts need to use the same port number. The host with the IP address of 192.168.10.118 needs the Telnet service to be an external host and the Telnet service needs to run over port 6200. The host with the IP address of 192.168.11.205 needs to access the Microsoft NetShow service of a host on the external network and also needs the Microsoft NetShow service to run over port 6200. The configuration for Router 3 in Listing 4.19 accomplishes the hosts’ requirements.

Listing 4.19: Configuration of mapping different hosts to the same port.

Router−3#config t
Router−3(config)#access−list 12 permit 192.168.10.118
Router−3(config)#access−list 13 permit 192.168.11.205
Router−3(config)#ip port−map telnet port 6200 list 12
Router−3(config)#ip port−map netshow port 6200 list 13
Router−3(config)#end

The final configuration of Router 3 can be displayed using the show running−config command (see Listing 4.20).

Listing 4.20: Final configuration of Router 3.

Router−3#sh ru
Building configuration…
!
ip port−map http port 6100
ip port−map http port 6101
ip port−map http port 6102
ip port−map http port 6103
ip port−map http port 6104
ip port−map http port 6105
ip port−map realmedia port 5050 list 2
ip port−map http port 21 list 1
ip port−map ftp port 7142 list 1
ip port−map netshow port 6200 list 13
ip port−map telnet port 6200 list 12
!
access−list 1 permit 192.168.11.112
access−list 1 permit 192.168.11.16
access−list 1 permit 192.168.10.240
access−list 2 permit 192.168.10.0
access−list 2 permit 192.168.11.0
access−list 12 permit 192.168.10.118
access−list 13 permit 192.168.11.205
!

After viewing the final PAM configuration, you can view the final PAM table on Router 3 by issuing the show ip port−map command. Listing 4.21 displays the complete PAM table for Router 3, including the system−defined entries, userdefined entries, and host−defined entries.

Listing 4.21: Complete PAM table for Router 3.

Router−3#sh ip port−map
Default mapping: vdolive port 7000 system
Default mapping: http port 6100 user
Default mapping: sunrpc port 111 system
Default mapping: http port 6101 user
Default mapping: netshow port 1755 system
Default mapping: http port 6102 user
Default mapping: http port 6103 user
Default mapping: http port 6104 user
Default mapping: http port 6105 user
Host specific: realmedia port 5050 in list 2 user
Default mapping: cuseeme port 7648 system
Default mapping: tftp port 69 system
Default mapping: rtsp port 8554 system
Default mapping: realmedia port 7070 system
Default mapping: streamworks port 1558 system
Default mapping: ftp port 21 system
Host specific: http port 21 in list 1 user
Default mapping: telnet port 23 system
Default mapping: rtsp port 554 system
Default mapping: h323 port 1720 system
Default mapping: sip port 5060 system
Default mapping: smtp port 25 system
Default mapping: http port 80 system
Default mapping: msrpc port 135 system
Default mapping: exec port 512 system
Default mapping: login port 513 system
Default mapping: sql−net port 1521 system
Default mapping: shell port 514 system
Host specific: ftp port 7142 in list 1 user
Default mapping: mgcp port 2427 system
Host specific: netshow port 6200 in list 13 user
Host specific: telnet port 6200 in list 12 user
Router−3#


Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.