Cisco Support Community

What the fixup protocols are and how they work


To define the fixup protocols, perform these steps:

  1. The PIX Firewall's fixup commands tell the PIX Firewall to perform additional application inspection on the specified protocols. This additional inspection is needed on some protocols, because some protocols include the source IP address within the data payload of the packet.  

    If the PIX Firewall is using Network Address Translation (NAT) on the packet, it must locate the embedded IP within the packet and apply NAT to it.

    Other protocols may initiate connections on a given port and then open up additional connections on mutually agreed upon ports. FTP and H323 are most notable for doing this.

  2. The port value for most protocols can be changed. For example, this is necessary if an FTP server is set up to listen on port 2100.
    In such cases, add the additional fixup protocol command

  3. Most fixup protocols are enabled by default. For a complete list of fixup protocols, issue the help command.  

    The fixup protocol command is global. The changes made affect both inbound and outbound connections. These changes cannot be restricted to a specific connection or translation.   

For more information, refer to these documents: