The Function of Fixups

The PIX firewall implements fixup protocol features to help overcome the difficulties with advanced protocols. The fixup protocols perform what is known as application inspection on a limited number of advanced protocols. The inspection monitors the traffic across the PIX and dynamically opens and closes connection slots between the inside and outside interfaces. Fixups try to make the connections as secure as possible by dynamically opening only the necessary ports.

If fixup protocols did not exist, you would have to open large numbers of ports with ACLs or the established commands to allow traffic to pass, effectively compromising the granularity and overall value of your security solution. Table 8.1 displays some of the available fixup protocols with their respective ports and functions.

Table 8.1. Available Fixup Protocols


Default Port




The FTP fixup works to help correct standard and passive FTP problems.

H323 h225


The H323 monitors and helps correct the multimedia applications that use H323 back through the PIX firewall.

H323 RAS

1718 and 1719

This works with the H323 protocol suite.



Helps monitor HTTP and is required for WebSense or N2H2 URL filtering services.



The ILS fixup works to help correct LDAP transactions across the PIX firewall.



Remote Shell.



Real-Time Streaming Protocol.



Simple Mail Transport Protocol.



Oracle communications.



Session Initiation Protocol.



Skinny Client Control Protocol.

The show fixup Command

You can use the show fixup command to display the active fixup protocols on the PIX firewall. Listing 8.1 displays the output of the show fixup command.

Listing 8.1 show fixup Command Example
 pixfirewall(config)# show fixup fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 pixfirewall(config)# 

The fixup protocol Command

The standard fixup command is similar for all the protocols listed in Table 8.1. Most protocols can have additional ports assigned to them that will enable application inspection monitoring of nonstandard ports for that protocol. This is the standard fixup protocol command's syntax:

 pixfirewall(config)# [no] fixup protocol <prot> [<option>] <port>[-<port>] 

Table 8.2 displays the fixup protocol options.

Table 8.2. fixup protocol Command Options




Protocol setting, such as HTTP, SIP, RTSP, and so on.


A single port or a range or ports can be used to enable application inspections on traffic defined for the protocol option.

The following example adds a single port and a range of nonstandard ports for RTSP:

 pixfirewall(config)# fixup protocol rtsp 1501 pixfirewall(config)# fixup protocol rtsp 1700-1710 pixfirewall(config)# show fixup protocol rtsp fixup protocol rtsp 554 fixup protocol rtsp 1501 fixup protocol rtsp 1700-1710 pixfirewall(config)# 

The clear fixup Command

The clear fixup command resets the fixup protocol to the default values, like so:

 pixfirewall(config)# clear fixup 

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: