Sign in Subscribe
By Craig Garnham in CCNP Security

PIX - Protocol Handling

Cisco PIX Firewall
  • Many popular protocols and applications will assign ports or addresses dynamically (Multimedia, P2P File Sharing, HTTP, FTP, SQL*Net)
  • Some apps embed port data into upper layers
  • PIX can manage negotiated ports and addresses for end-to-end sessions through the firewall
  • Utilizes NAT-relevant addressing in packets as well as PAT
  • Inspects packets for improper use of apps and services
  • PIX can be configured to allow inspected apps or protocols to traverse through dynamic stateful changes

An FTP (Active Mode) server uses different ports for control (client-initiated) and data (server-initiated) connections. The fixup command will temporarily allow an inbound data channel connection for the duration of the control session. FTP in passive mode, both channels are requested by the client.

Fixup protocols enabled by default on default ports: FTP, SMTP, HTTP, RSH, RTSP, SQL*Net, H.323, ILS, SCCP, SIP, CTIQBE, MGCP.

fixup protocol ftp 2021 strict

Remote Shell (RSH) client-initiated TCP command channel, server-initiated TCP Error connection channel.

fixup protocol rsh 1540

SQL*Net uses a single channel but can be redirected to a different port or secondary server.

fixup protocol sqlnet 66

DNS Fixup

PIX firewall 6.2 or higher supports NAT’s embedded IP Address within the DNS response packet.

DNS queries will have 1 answer and 1 response

PIX DNS fixup monitors all UDP transactions on port 53

DNS request opens a response connection slot, and closes the slot after the answer is received

Can perform translation of embedded IP Address using DNS record translation, alias command is needed prior to 6.2

alias (inside) 10.0.0.10 8.8.8.8 255.255.255.255

Multimedia Support

Multimedia apps transmit on TCP, receive on TCP/UDP, and utilize dynamic ports.

PIX firewall opens/closes ports dynamically and supports multimedia with/without NAT

RTSP is used by many multimedia applications

  • well-known TCP port 554
  • Transport options are RTP and RDT (1st channel)
  • RTCP or UDP resend (2nd channel)

PIX supports the following RTSP applications

  • Cisco IP/TV
  • Apple QuickTime 4
  • Real Networks (RealAudio, RealPlayer)
  • RealServer
fixup protocol rtsp PORT
fixup protocol h323 PORT
fixup protocol mgcp PORT
fixup protocol ctiqbe 2748
fixup protocol skinny PORT
fixup protocol sip PORT
Previous

UniFi Hairpin NAT

You might also like...