Javier,
Cannot comment on the default setup (except that I believe that h323
is over 1720) and that the exact command is 'fixup'. Hopefully
the documentation should have all this information. There is
also a 'show fixup' command AFAIK.
Regarding the purporse of these commands: the answer is
more easy :-) When a fixup is assigned a TCP port, this means
that for those ports, the PIX will enter layer 3 to layer 7
analysis of all the packets.
Usually, PIX works only at layers 3 and 4 (= IP + UDP or IP + ICMP
or IP+TCP) checking IP addresses, ports, TCP flags, fragmentation
status, ...
While with fixup, the PIX saves additional states (like SMTP command
or data state, or for FTP is the user authenticated ?, ...), enforces
additional rules (like refusing strange SMTP MAIL FROM or RCPT TO
addresses, checking URL, ...), follows the dynamic ports
negotiation (like in H323 and FTP), does additional logging (like
FTP or HTTP file/URL logging), translates (for NAT) the IP
addresses in the TCP or UDP payload, ...
Hope this helps
-eric
At 01:07 31/10/1999 +0000, jromero wrote:
>Hi folks,
>
>Well, I have a question about something commands in the Version 4.2.
>
>Confirm is the following commands are default ones:
>
>fixeup protocol ftp 21
>fixeup protocol http
>fixeup protocol h323 17201
>fixeup protocol rsh 514
>fixeup protocol sqlnet 1521
>no fixed protocol smtp 25
>
>BTW, What does mean this commands?
>
>Regards,
>
>Javier
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: [EMAIL PROTECTED] Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
