Munit Singla wrote: > > Hi Eric, > Thanx for the reply. > Can u tell me with which command can we assign differnt prots > to same keyword. > Regards, > Munit >
Port to Application Mapping (PAM) is a feature of the Cisco IOS Firewall feature set. PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports. Previously, CBAC was limited to inspecting traffic using only the well-known or registered ports associated with an application. Now, PAM allows network administrators to customize network access control for specific applications and services. If you aren't using CBAC, I don't know if you can do this, though. More on PAM here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfpam.htm#13687 Regarding the comment below that CBAC uses the keyword "http" instead of the "www" used in extended access lists, I agree that's strange. It almost seems like CBAC came from a Cisco acquisition perhaps. It's enough different from ordinary IOS to make one wonder. Priscilla > "Erick B." wrote: > > > Agreed. They do have a way to map additional ports to > > the pre-defined services though. So for telnet for > > example you can add port 233, 2333, etc so when you > > specify 'telnet' in an ACL (or similar list) it > > matches port 23, 233, and 2333. > > > > Whats weird is I was looking at this yesterday, and > > for some ACL stuff the keyword is http and for other > > stuff it is www. I'm sure theres other keywords that > > mean the same as others but thats the one I noticed. > > Then again i don't port-map matches up to all the ACL > > keywords, I think it matches up against some other > > security features. I've used it for telnet in ACLs > > though with no problems in past. > > > > I guess consistency with port #s and service names > > would be a good thing. Maybe it would be nice if they > > didn't hardcode these in IOS but referenced a services > > file on the flash that could be editable like in most > > OS's. I think this may happen... it seems they are > > starting to clean up IOS and get rid of old protocols > > and modularize stuff so it uses similar syntax. MQC > > for example. > > > > --- Priscilla Oppenheimer > > wrote: > > > You're assuming IOS is a modern operating system or > > > something akin to a data > > > dictionary or programming language. It's not. :-) If > > > the IOS engineers > > > include keywords in the command line interface, then > > > you can use them. If > > > they don't, you can't. > > > > > > Your idea sounds like a good one though. You could > > > suggest it to Cisco, but > > > I don't think they could easily accomdate such a > > > change in philosophy. > > > > > > Priscilla > > > > > > Munit Singla wrote: > > > > > > > > Hi , > > > > There default ports given in the IOS .We can use > > > both to refer > > > > those > > > > ports by names as well as port numbers .Can we > > > customize it and > > > > to the > > > > defaut list ports by names not by numbers. or I > > > want to use it > > > > use > > > > customized ports used for my applications by names > > > in my access > > > > list. > > > > Is there any command to create customized ports by > > > Name. > > > > See what my problem is when we make an extended > > > access lists we > > > > can > > > > define source and destination ports.there is > > > standard list of > > > > ports > > > > there to be used in access list that we can use by > > > number or > > > > name.If we > > > > want to customize the port according to our > > > default application > > > > we can > > > > add that port by number only.Is there a way to > > > refer those > > > > ports by > > > > names in my access list.and can we add these > > > customized TCP/UDP > > > > ports in > > > > the default list which is displayed, so that we > > > can refer it > > > > when ever > > > > we like in our access-lists by name. > > > > Example: > > > > access-list 100 permit tcp any any eq Nortonvirus > > > > Here Nortonvirus keyword should refer to the port > > > 5000. and > > > > this name > > > > and port mapping should get added to the default > > > list so that i > > > > can > > > > refer later.here I am assuming nortons application > > > is using > > > > port number > > > > 5000. > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59394&t=59276 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
