Jon Marshall Wed, 03/21/2007 - 01:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Generally speaking the ASA and Pix devices are stateful firewalls. They keep state by using IP addresses/port numbers and TCP flags (eg SYN, SYN/ACK etc.) They do not understand applications.

However there are some applications that they do understand and these are the what the fixup commands are for. Some applications such as FTP, SQLNET etc. dynamically allocate ports for connections which is a nightmare for traditional firewalls eg.

When you connect to an Oracle database the client connects to port 1521. The server then sends another port number to the client. The client tears down the original connection and starts a new one to the new port.

Now imagine how bad this is for a firewall.

Say you have a database on a DMZ that outside users want to access. You allow port 1521 from outside but you also have to allow all ports above 1024, so that's 1024 - 65535 because you don't know the random port that will be sent back by the server to the client.

The fixup command for SQLNET monitors the intial connection setup. It extracts the port number sent back by the server to the client and temporarily opens up a channel for that port and that port only ie you don't have to allow all random ports.

That is just an example of a fixup command. Other fixup commands might be for different purposes but in general the fixup commmands are there for applications that would otherwise be very difficult to firewalll securely.



cindylee27 Wed, 03/21/2007 - 02:36
User Badges:

Jon, you are really right on the ball..:D

Now I can understand it clearly ,

Thanks for that again!




This Discussion