fixup protocol
Change, enable, disable, or list a PIX Firewall application protocol
feature. (Configuration mode.)
fixup protocol ftp [port]
fixup protocol http [port[-port]
fixup protocol h323 [port[-port]]
fixup protocol rsh [514]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
no fixup protocol protocol [port[-port]]
show fixup [protocol protocol]
Syntax Description
protocol
Specify the protocol to fix up: ftp, http, h323, rsh, smtp, sqlnet.
port
Specify the port number or range for the application protocol. The default
ports are: 80 for http, 1720 for h323, 25 for smtp, and 1521 for sqlnet. The
default port value for rsh cannot be changed, but additional port statements
can be added. Refer to the "Ports" section in Chapter 1, "Introduction" for
a list of valid port literal names.
Usage Guidelines
The fixup protocol commands let you view, change, enable, or disable the use
of a through the PIX Firewall. The ports you specify are those that the PIX
Firewall listens at for each respective service. You can change the port
value for each service except rsh.
The fixup protocol smtp command enables the Mail Guard feature, which only
lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL,
RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the
"500 command unrecognized" reply code.
The fixup protocol commands are always present in the configuration and are
enabled by default. You can add multiple port settings for each protocol
with separate commands; for example:
fixup protocol ftp 21
fixup protocol ftp 4254
fixup protocol ftp 9090
These commands cause PIX Firewall to listen to the standard FTP port of 21
but also to listen for FTP traffic at ports 4254 and 9090.
The show fixup command lists all values or the show fixup protocol protocol
command lists an individual protocol.
You can disable a protocol definition with the no fixup command.
Examples
The following example enables access to an inside server running Mail Guard:
static (inside, outside) 204.31.17.1 192.168.42.1 netmask 255.255.255.0
conduit permit tcp host 204.31.17.1 eq smtp any
fixup protocol smtp 25
This example shows the default fixup protocol values:
show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 204.31.17.1 10.1.1.1 netmask 255.255.255.255
conduit permit tcp host 204.31.17.1 eq smtp any
no fixup protocol smtp 25
In this example, the static command sets up a global address to permit
outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface.
(The MX record for DNS needs to point to the 204.31.17.1 address so that
mail is sent to this address.) The conduit command lets any outside users
access the global address through the SMTP port (25). The no fixup protocol
command disables the Mail Guard feature.
""Montgomery, Robert WARCOM Contractor"" <[EMAIL PROTECTED]> wrote
in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello all - On the PIX ...
>
> What the 'heck' does the fixup command do? I ask this after reading the
> guide and parsing CCO.
>
> I need to set up https/ssl on specific ports (a client wants to allow
users
> to use https through the specific holes) and thought I had to "fixup" the
> proto to listen to the specific ports I want. Of course, the Pix doesn't
> provide these literal names (in config), so would I just use stat/cond
> commands? Which leads me to wonder just what fixup does.
>
> Thanks!
>
> Rob Montgomery CCNA MCP (Paper Cert or not...I have them)
> Information Security Engineer
> IA Systems Analyst
> Sytex, Inc./ Naval Special Warfare Command
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
