thanks for your help, can you give me a qucik explantion what they actually do? is it where say ftp goes out on 20, then comes back in on 21, is it when there can be multiple ports for the given session ?

Hi,

In a nutshell,

The fixup ftp command inspects the FTP sessions and performs four tasks:

(i) prepare dynamic secondary data connection;

(ii) track FTP command-response sequence;

(iii) generate audit trail;

(iv) NAT application embedded IP address.

The port number defines the well-known service port where the FTP client initiated to connect to the FTP server. This port is usually 21. However, a different and non-standard port can be specified.

Raj

can you give me a general overview of the fixup ? i saw on another firewall the same thing, but called proxies ?

Hi Carl,

Some protocols like ftp,http etc need to dynamically negotiate source or destination ports or IP addresses.

good security appliance has to inspect packets above the network layer and do the following as required by the protocol or application:

1.Securely open and close negotiated ports and IP addresses for legitimate client-server connections through the security appliance

2.Use Network Address Translation (NAT)-relevant instances of IP addresses inside a packet

3. Use port address translation (PAT)-relevant instances of ports inside a packet

4.Inspect packets for signs of malicious application misuse

Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation.

The application inspection function also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or User Datagram Protocol (UDP) ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. For eg: the FTP client is in active mode opening a control channel between its port 2008 and the FTP server port 21. When data is to be exchanged, the FTP client alerts the FTP server through the control channel that it expects the data to be delivered back from FTP server port 20 to its port 2010. If FTP inspection is not enabled, the return data from FTP server port 20 to FTP client port 2010 is blocked by the security appliance. With FTP inspection enabled, however, the security appliance inspects the FTP control channel to recognize that the data channel will be established to the new FTP client port 2010 and temporarily creates an opening for the data channel traffic for the life of the session.

Config will be :

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

For pix/asa proxy feature it means here it can request connection on behalf on the client that is inside the firewall or the internet

Raj