Hi Kunal,

1) Pix inspects dns packet length, default value set to 512 and packets greater than 512 length will be dropped by pix resulting you unable to browse few websites. I would recommend yu to keep it to a size of 1500 with the following command:

fixup protocol dns maximum-length 1500

2) Again:

fixup protocol h323 h225 1720

with this pix inspects h323 protocol and randomly opens up ports on Pix to let the voice/signalling traffic come inbound.

3) For ease of viewing ip addresses by their names, we have the command name on pix:

name 193.123.234.234 access

name 193.123.234.236 www

Using such names on pix would let you view such ip addresses by their names.

"no names" and "names" is a toggle. With "names" when a config is viewed, it shows ip addresses by names as specified on pix and with "no names" it would show it by ip address.

4) For example, while collecting syslogs on a syslog server, it would show you CISCO-PIX at the beginning on log entry letting you know that this log is generated/sent/logged by CISCO-PIX device.

5) The ip verify reverse-path command allows you to specify which interfaces to protect from an IP Spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast RPF (Reverse Path Forwarding) functionality for the PIX Firewall. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.

The ip verify reverse-path command depends on the existence of a default route statement in the configuration for the outside interface that has 0.0.0.0 0.0.0.0 in the route command statement for the IP address and network mask.

The command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity, and is limited to addresses for networks in the enforcing entity's local routing table. If the incoming packet does not have a source address represented by a route, then it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network.

Unicast RPF is implemented as follows:

ICMP packets have no session so each packet is checked.

UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

6) PDM Locations are commands used by the PDM application to create like a map and identify hosts configured to access the PIX unit. You can remove those lines in the configuration by typing: clear pdm location. Removing those lines won't affect the functionality of your PDM or the PIX unit. Those lines do not represent a security risk since they are not authorizing any traffic, remember that the security policy is established with the access-lists, and is backed up by the translations you are authorizing. PDM location is just a reference line for the application "Pix Device Manager".

Finally, to be in short, pdm locations are just like translation slots (can be viewed by giving command show xlate)... clear xlate would remove the translation slots but it would be rebiult again as any host tried to go through the pix and hence, in the same manner, clear pdm location would clear it for the time being until someone tries to access the pix again. Its something like cookies which the browser stores as an information.

pdm logging is command to log syslogs to be viewed using PDM.

pdm history enable is a command when enabled on pix would let you view how and what data is stored on pix in a detailed format and information on each and every chunk on pix.

I hope that answers your questions.

Rahul Pathania

TAC Engineer-Security

rpathani@cisco.com