Application inspection is frequently referred to as fixup because the fixup protocol command
can be used to configure the application inspection for many of the supported
protocols. Note, other protocols are supported that don’t support configuration.
The show fixup command displays the
applications/protocols and their default port settings that use the fixup protocol command. These defined port numbers are the ones
the PIX Firewall listens to for each respective service. The following output is
the default fixup protocol commands enabled on a PIX Firewall
version 6.2.
Pix(config)# show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
Pix(config)#
If necessary, the port numbers can be changed for each service,
except rsh and sip. Remember, if a protocol
like HTTP is set to use another port number, any connections established to that
port number will be interpreted as if they’re HTTP data.
Using the fixup protocol Command
Use the configuration mode fixup protocol commands to change, enable, or
disable the access of supported services or protocols through the PIX Firewall.
The command is global and any changes apply to both inbound and outbound
connections. The command can’t be restricted by any port address changes in static command statements. The basic syntax looks like the
following, where protocol is limited to the 11 supported
options in the preceding output.
Pix(config)# fixup protocol protocol
[port_options]
The clear fixup command resets the fixup default
settings, but it doesn’t remove the default fixup protocol
commands. To disable a fixup for a specific protocol, use the no
fixup protocol protocol command
without any options. The no fixup protocol is stored in the
configuration.
Changes made using the fixup command only affect
future connection sessions. For any change to take effect immediately, you must
use the clear xlate command to remove all existing application
inspection entries.
The next pages look at the applications supported by the PIX
Firewall application inspection features and a few examples of working with the
fixup protocol commands. For more information, a search on
fixup on the www.cisco.com site offers a wide selection of documents.
Particularly for “hot” technologies such as VoIP, checking the latest
documentation for the fixup protocol is always wise.
Sections
Comments (0 posted)
Syndication
