fixup and access-list

hi

what is the difference beteen these two command in pix. i am muddle between these to command cos as far as my study concern is that both of them allowing pptp port.

fixup protocol pptp 1723
and
access-list my_list prmit any any eq 1723

Find more posts tagged with

Comments

sprkymrk

Good link here explaining it:

http://www.ciscopress.com/articles/article.asp?p=24685&rl=1

With only a few exceptions, advanced protocol handling is accomplished via a mechanism called a fixup protocol. The fixup protocol command operates not as a true proxy but as an application aware agent. In most cases, the fixup protocol acts by monitoring the control channel of an application to prevent protocol violations and enable the PIX to respond dynamically to a protocol's legitimate need to open an inbound connection securely by making a temporary exception in the ASA. When the exception is no longer needed, the fixup protocol closes it. Each new version of the PIX OS brings new and improved protocol handling. It is important to note that the PIX can only perform these operations on the fixups that are part of the PIX OS running on your PIX. Fixups are not user-definable or user-programmable. Fixups allow you to enable or disable processing for the supported protocols and determine what ports (standard or non-standard) to operate on.

Fixup protocol is more secure than just opening a port.

sword1

thanks alot for for ur infromaion

but why i cannot able to add port 3389 of rdp in fixup protocol, i tried to add in fixup protocol but its not adding, than for that i used

access-list abcd permit tcp any any eq 3389 this is working.

sprkymrk

sword1 wrote:

thanks alot for for ur infromaion

but why i cannot able to add port 3389 of rdp in fixup protocol, i tried to add in fixup protocol but its not adding, than for that i used

access-list abcd permit tcp any any eq 3389 this is working.

Must be an unsupported protocol on Pix.

It is important to note that the PIX can only perform these operations on the fixups that are part of the PIX OS running on your PIX. Fixups are not user-definable or user-programmable.

Ahriakin

Yup, Fixup is essentially deep application layer inspection, the PIX has to understand the protocol for it to work. Access-lists are simple filters in comparison and are much easier to apply, the PIX does not have to understand what is on port 3389 for them to work.

sword1

ok i got it, almost vission is clear but one thing more. http is enable in fixup, its mean that pix will apply special handling for http then why we use access list to allow www on a perticular static NAT (i am aware that second statemet isused to hide webserver from external intrusion) if fixup can handle all of it with deep scanning, may be sound foolish but ignore because i am newbie

fixup protocol http 80

static (inside, ouside) 210.x.x.5 192.x.x.5 netmask 255.255.255.25
access-list abcd permit tcp any 210.x.x.5 eq www

Ahriakin

The actual function of Fixup/Inspect depends on the supported protocol. It does not imply one set of actions that are applied to them all, and more importantly does not simply block or allow a protocol as an access list would. For example for DNS Inspection is can enforce a message size (512 by default) and only allow one response to a query, for Http it allows Java/ActiveX filtering, Logging etc. Fixup/Inspection changes with each software release but for the PIX (6.3) here is a good reference for how it handles different protocols. http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1063739, use the links under "Basic Protocols" and lower to get quick notes on each.

sword1

Thanks you people help me alot