Showing results for 
Search instead for 
Did you mean: 

Migrating IOS 15.5 (2901) PAM / ZBFW Configuration to IOS XE (4331)

Level 1
Level 1

Hi Cisco SMEs,

my problems has been raised problem has been raised before, sometime ago in 2017 see this Community post on "Defining custom PAM or protocol for ZBF", and here "IP Port map custom protocol in IOS XE".

Both of these only identified that there was an issue, but not what the work around or solution was.

So here is statement of problem:

1. I am in process of moving my Cisco 2901/IOS 15.5 ZBFW Configuration to Cisco 4331 Router with AX, SEC & IPBASE licenses

2. My existing configuration includes a number of "custom PAM" (PAM == Port to Application Mapping") definitions (see below):





ip port-map user-xmpp-5223 port tcp 5223 description xmpp 5223
ip port-map user-xmpp-5222 port tcp 5222 description xmpp 5222
ip port-map user-caldav port tcp 8008 description CalDAV Calendar
ip port-map user-reghttps port tcp 7443 description Harbor Registry HTTPS
ip port-map user-carddavs port tcp 8843 description CardDAV Address SSL
ip port-map user-smtps-587 port tcp 587 description smtps SSL 587
ip port-map user-smtps-465 port tcp 465 description smtps SSL 465
ip port-map user-caldavs port tcp 8443 description CalDAV Calender SSL
ip port-map user-carddav port tcp 8800 description CardDAV Address
ip port-map user-xmpp-fed port tcp 5269 description xmpp federation
ip port-map user-pushnot-2195 port tcp 2195 description Apple Push Notificaitons 2195
ip port-map user-pushnot-2196 port tcp 2196 description Apple Push Notifications 2196






3. These are then used to define ZBFW matching criteria ... here is simple example






class-map type inspect match-any XMPP-FED-PROTOCOLS
 match protocol user-xmpp-fed





4. The problem is that both IOS XE 15.5 and 16.4.4 on 4331 do not support the "user defined PAM" and the available system PAM definitions do not cover the ports that are defined in my existing customer PAM definitions. This is as found in the original link I posted.

The response to this was:

- "Looks like the command is not supported on the version that you are running."

This is totally unhelpful.

I did a check via "Cisco Feature Navigator" which indicates that the Feature is available in both 16.6.5 & 15.5 for ISR4331, when it clearly is not fully support as per prior IOS 15.5 on 2901.

Could some one please advise workaround.

Ideally this should be able to:

- Work with 15.5 or 16.6 , if it is workaround

- Not require a "Smart Licensed" IOS-XE version if there is an IOS XE version that provides full PAM functionality including custom PAM definition (ie version < 16.10), as per prior IOS 15.5 version.

- If the only solution available is with a smart licensed version of IOS XE (ie >= 16.10), then has it been verified/confirmed that this provides equivalent functionality to the 2901 15.5 PAM ?

Thank you for any feedback on IOS XE versions / workaround.






1 Reply 1

Level 1
Level 1

Hi IOS’ers,

my workaround for this was to “hijack” an existing (but unused in my network) PAM.

So for XMPP which used 3 x Ports/Services:

1. For comma: 5222

2. For notifications: 5223

3: For Federation: 5269

This looks like:

access-list 10 remark XMPP port-map user-xmpp-5223 user-xmpp-fed substitute
access-list 10 permit XXX.XXX.XXX.35
! In this case for XMPP I decided to hijack the Lotus Notes and IPX PAM as
!   there is no Lotus Notes server or IPX on my network and Lotus Notes includes two applications: lotusnote, lotusmtap with IPX for notifications
! So to ensure that the hijack configuration does not open any unneeded ports, I disabled the fault PAM and added new ones:
no ip port-map lotusnote
no ip port-map lotusmtap
no ip port-map ipx
ip port-map lotusnote port tcp 5222 list 10 description xmpp 5222
ip port-map ipx port tcp 5223 list 10 description xmpp 5223
ip port-map lotusmtap port tcp 5269 list 10 description xmpp federation 5269



Happy router management.


Review Cisco Networking for a $25 gift card