03-28-2007 02:26 PM - edited 03-05-2019 03:10 PM
Hi all, I have seen on my firewall where you have services, ie h323 etc, and we can turn these off and on etc, is this for fixup? what does this do ?
03-29-2007 12:11 AM
Hi,
Yes it is for fixups .To know how fixup works and what is does :check these out :
for 6.0 :on fixup :
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm
Check this link for details on fixup/inspect on 7.0:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm
Raj
03-29-2007 01:10 AM
thanks for your help, can you give me a qucik explantion what they actually do? is it where say ftp goes out on 20, then comes back in on 21, is it when there can be multiple ports for the given session ?
03-29-2007 05:30 AM
Hi,
In a nutshell,
The fixup ftp command inspects the FTP sessions and performs four tasks:
(i) prepare dynamic secondary data connection;
(ii) track FTP command-response sequence;
(iii) generate audit trail;
(iv) NAT application embedded IP address.
The port number defines the well-known service port where the FTP client initiated to connect to the FTP server. This port is usually 21. However, a different and non-standard port can be specified.
Raj
03-29-2007 08:35 AM
can you give me a general overview of the fixup ? i saw on another firewall the same thing, but called proxies ?
04-03-2007 02:18 AM
Hi Carl,
Some protocols like ftp,http etc need to dynamically negotiate source or destination ports or IP addresses.
good security appliance has to inspect packets above the network layer and do the following as required by the protocol or application:
1.Securely open and close negotiated ports and IP addresses for legitimate client-server connections through the security appliance
2.Use Network Address Translation (NAT)-relevant instances of IP addresses inside a packet
3. Use port address translation (PAT)-relevant instances of ports inside a packet
4.Inspect packets for signs of malicious application misuse
Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation.
The application inspection function also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or User Datagram Protocol (UDP) ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. For eg: the FTP client is in active mode opening a control channel between its port 2008 and the FTP server port 21. When data is to be exchanged, the FTP client alerts the FTP server through the control channel that it expects the data to be delivered back from FTP server port 20 to its port 2010. If FTP inspection is not enabled, the return data from FTP server port 20 to FTP client port 2010 is blocked by the security appliance. With FTP inspection enabled, however, the security appliance inspects the FTP control channel to recognize that the data channel will be established to the new FTP client port 2010 and temporarily creates an opening for the data channel traffic for the life of the session.
Config will be :
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
For pix/asa proxy feature it means here it can request connection on behalf on the client that is inside the firewall or the internet
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide