Upgrade PIX515 to ASA5510: how to turn off fixup

Unanswered Question
Feb 7th, 2007

On our PIX515 6.2(4) we had to do "no fixup protocol ftp 21" to prevent our ftps from hanging. How can we do the equivalent command in the ASA 7.2(1)? I've seen posts about the "inspect ftp" in the global policy, and other posts about modular policy control, but I'm just not sure how to do the equivalent of the "no fixup". Does anyone know? Does the default "FTP MODE PASSIVE" affect this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Wed, 02/07/2007 - 12:21

with Pix 7.2(1), just type "no fixup protocol ftp 21" and it will work for you. the command

is backward compatible

calterio Wed, 02/07/2007 - 12:28

Thank you. I tried to enter the command but received:

# no fixup protocol ftp 21

WARNING: 'no fixup ...' command not processed because no global policy-map is en

abled

I thought the default global policy-map was automatically in the config, much like the default fixup statements were in the config for the PIX. Am I mistaken?

acomiskey Wed, 02/07/2007 - 12:24

try "no inspect ftp"

policy-map global_policy

class inspection_default

no inspect ftp

calterio Wed, 02/07/2007 - 12:30

I get:

ERROR: % class-map inspection_default not configured

daviddtran Wed, 02/07/2007 - 12:33

CiscoPix# sh ver

Cisco PIX Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "flash:/pix722.bin"

Config file at boot was "startup-config"

CiscoPix up 2 days 3 hours

Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0004.c161.5536, irq 10

1: Ext: Ethernet1 : address is 0004.c161.5537, irq 11

2: Ext: Ethernet2 : address is 0002.b318.0a83, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Restricted (R) license.

Serial Number: xxxxxxx

Running Activation Key: 0xxxxxxxx0 0xxxxxx 0xxxxxx 0xbxxxxxx

Configuration last modified by enable_15 at 02:28:16.627 UTC Wed Feb 7 2007

CiscoPix# conf t

CiscoPix(config)# no fixup protocol ftp 21

CiscoPix(config)#

David

CCIE Security

calterio Wed, 02/07/2007 - 13:11

Here's mine:

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is "disk0:/asa721-k8.bin"

Config file at boot was "startup-config"

Ciscoasa up 43 mins 27 secs

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0019.5517.aaaa, irq 9

1: Ext: Ethernet0/1 : address is 0019.5517.bbbb, irq 9

2: Ext: Ethernet0/2 : address is 0019.5517.cccc, irq 9

3: Ext: Ethernet0/3 : address is 0019.5517.dddd, irq 9

4: Ext: Management0/0 : address is 0019.5517.eeee, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has an ASA 5510 Security Plus license.

Serial Number: xxxxxxxxxx

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Ciscoasa# conf t

Ciscoasa(config)# no fixup protocol ftp 21

WARNING: 'no fixup ...' command not processed because no global policy-map is en

abled

No matching protocol-port pair found, fixup not removed

calterio Thu, 02/08/2007 - 06:47

I'm guessing that the global-policy is not defined by default, like the fixup protocol statements are. I know they don't show up in the 'wr t/sh conf' but I thought something was still there. So, should I be okay with the FTP? If I have problems, and changing 'ftp mode passive' to 'ftp mode active' doesn't fix the problem, should I try adding the 'inspect ftp' or is there something else that might be the problem? One of the PIX devices that we're replacing with an ASA5510 has VoIP traffic flowing through it. I've seen posts about the need for the fixup/inspect for h323 in order for it to work. Should I implement the global policy with the inspect statements for h323, or wait and see if it's a problem? What errors or symptoms on the ASA should I be looking for? Thanks,

Actions

This Discussion