Newbie question about Pix 506 config.

[Thilton]

Hello All,

Although I'm not new to firewalls I know practically nothing when it comes to the Cisco Pix 506. I have a client that has one and they are looking to replace it. I as looking at the configuration and was quickly confused about what I saw, specifically the following:

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

What the heck does this mean? I know this is a simple question but I'm at a loss

Thanks!

Troy

 

[8624]

the fixup protocals allow application the access the pix firewall via the that specific protocal
for example

fix protocol ftp 21 allow ftp traffic to flow throw the pix firewall.
fix up protocol http 80 allow the http traffic to flow through the pix

 

[Thilton]

OK. it is necessary to have all of these visible if I'm only using http and SMTP?

Troy

 

[tbissett]

The fixups do different things depending on the fixup. Basically, they are application inspection commands that add a little bit of security to specific protocols.

For example, fixup smtp 25 restricts mail communication to a few basic SMTP commands (i.e. no ESMTP stuff) in the name of security. Fixup FTP is used to manage all the dynamic connections created by and an active (vs. a passive) FTP connection.

In theory, you could turn off the fixups and SOME of the protocols would still work. For example, if you turned off the fixup FTP, passive FTP would still work, but no inbound FTP would.

I say "in theory" because it's almost always a good idea to leave them in there.

If you want to read more about them:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm

 

[Thilton]

Thanks! That explains a lot. I'll look at the article.

Troy