Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What is fixup protocol usage?

Hi I would like to check what is the use of this fixup protocol in ASA or PIX.

Just a question to understand this better.


Hall of Fame Super Blue

Re: What is fixup protocol usage?


Generally speaking the ASA and Pix devices are stateful firewalls. They keep state by using IP addresses/port numbers and TCP flags (eg SYN, SYN/ACK etc.) They do not understand applications.

However there are some applications that they do understand and these are the what the fixup commands are for. Some applications such as FTP, SQLNET etc. dynamically allocate ports for connections which is a nightmare for traditional firewalls eg.

When you connect to an Oracle database the client connects to port 1521. The server then sends another port number to the client. The client tears down the original connection and starts a new one to the new port.

Now imagine how bad this is for a firewall.

Say you have a database on a DMZ that outside users want to access. You allow port 1521 from outside but you also have to allow all ports above 1024, so that's 1024 - 65535 because you don't know the random port that will be sent back by the server to the client.

The fixup command for SQLNET monitors the intial connection setup. It extracts the port number sent back by the server to the client and temporarily opens up a channel for that port and that port only ie you don't have to allow all random ports.

That is just an example of a fixup command. Other fixup commands might be for different purposes but in general the fixup commmands are there for applications that would otherwise be very difficult to firewalll securely.



New Member

Re: What is fixup protocol usage?

Jon, you are really right on the ball..:D

Now I can understand it clearly ,

Thanks for that again!



CreatePlease login to create content