fixup and access-list

sword1sword1 Member Posts: 9 ■□□□□□□□□□
hi

what is the difference beteen these two command in pix. i am muddle between these to command cos as far as my study concern is that both of them allowing pptp port.


fixup protocol pptp 1723
and
access-list my_list prmit any any eq 1723
Thank you

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Good link here explaining it:

    http://www.ciscopress.com/articles/article.asp?p=24685&rl=1
    With only a few exceptions, advanced protocol handling is accomplished via a mechanism called a fixup protocol. The fixup protocol command operates not as a true proxy but as an application aware agent. In most cases, the fixup protocol acts by monitoring the control channel of an application to prevent protocol violations and enable the PIX to respond dynamically to a protocol's legitimate need to open an inbound connection securely by making a temporary exception in the ASA. When the exception is no longer needed, the fixup protocol closes it. Each new version of the PIX OS brings new and improved protocol handling. It is important to note that the PIX can only perform these operations on the fixups that are part of the PIX OS running on your PIX. Fixups are not user-definable or user-programmable. Fixups allow you to enable or disable processing for the supported protocols and determine what ports (standard or non-standard) to operate on.

    Fixup protocol is more secure than just opening a port.
    All things are possible, only believe.
  • sword1sword1 Member Posts: 9 ■□□□□□□□□□
    thanks alot for for ur infromaion

    but why i cannot able to add port 3389 of rdp in fixup protocol, i tried to add in fixup protocol but its not adding, than for that i used

    access-list abcd permit tcp any any eq 3389 this is working.
    Thank you
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    sword1 wrote:
    thanks alot for for ur infromaion

    but why i cannot able to add port 3389 of rdp in fixup protocol, i tried to add in fixup protocol but its not adding, than for that i used

    access-list abcd permit tcp any any eq 3389 this is working.

    Must be an unsupported protocol on Pix.
    It is important to note that the PIX can only perform these operations on the fixups that are part of the PIX OS running on your PIX. Fixups are not user-definable or user-programmable.
    All things are possible, only believe.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Yup, Fixup is essentially deep application layer inspection, the PIX has to understand the protocol for it to work. Access-lists are simple filters in comparison and are much easier to apply, the PIX does not have to understand what is on port 3389 for them to work.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • sword1sword1 Member Posts: 9 ■□□□□□□□□□
    ok i got it, almost vission is clear but one thing more. http is enable in fixup, its mean that pix will apply special handling for http then why we use access list to allow www on a perticular static NAT (i am aware that second statemet isused to hide webserver from external intrusion) if fixup can handle all of it with deep scanning, may be sound foolish but ignore because i am newbie :)


    fixup protocol http 80

    static (inside, ouside) 210.x.x.5 192.x.x.5 netmask 255.255.255.25
    access-list abcd permit tcp any 210.x.x.5 eq www
    Thank you
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    The actual function of Fixup/Inspect depends on the supported protocol. It does not imply one set of actions that are applied to them all, and more importantly does not simply block or allow a protocol as an access list would. For example for DNS Inspection is can enforce a message size (512 by default) and only allow one response to a query, for Http it allows Java/ActiveX filtering, Logging etc. Fixup/Inspection changes with each software release but for the PIX (6.3) here is a good reference for how it handles different protocols. http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1063739, use the links under "Basic Protocols" and lower to get quick notes on each.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • sword1sword1 Member Posts: 9 ■□□□□□□□□□
    Thanks you people help me alot
    Thank you
Sign In or Register to comment.