fixup protocol
Change, enable, disable, or list a firewall application protocol feature. (Configuration mode.)
fixup protocol ftp [strict] [port]
fixup protocol http [port[-port]
fixup protocol h323 [port[-port]]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
[no] fixup protocol [protocol [ skinny | sip | ... ]] []
clear fixup
show fixup protocol [protocol protocol]
Syntax
fixup protocol Performs enabling, disabling, viewing, or changing the configuration of a service or protocol through the firewall. no Disables the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After removing all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration. port Specify the port number or range for the application protocol. The default ports are:
Protocol TCP Port ftp 21 http 80 h323 1720 rsh 514 RTSP 554 smtp 25 sqlnet 1521 sip 5060 The default port value for rsh cannot be changed, but additional port statements can be added.
strict Prevent web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. protocol Specifies the protocol to fix up. sip Enable SIP. show conn state Displays the connection state of the designated protocol. show fixup Lists values show timeout Displays the timeout value of the designated protocol. show timeout skinny Displays the timeout value of the SCCP. skinny Enable SCCP. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the firewall and interoperate with H.323 terminals. update timeout Updates the timeout value of the SCCP. The default for the fixup protocol sip command is 5060.
The default for the fixup protocol skinny command is 2000.
fixup protocol
The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the firewall. The ports you specify are those that the firewall listens at for each respective service. You can change the port value for each service except rsh and sip. The fixup protocol commands are always present in the configuration and are enabled by default.
The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults. This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any static command statements.
The clear fixup protocol removes fixup protocol from the configuration that you added. It does not remove the default fixup protocol commands.
The show fixup protocol lists all values or the show fixup protocol protocol command lists an individual protocol.
You can disable the fixup protocol of a protocol by removing all fixup protocols of the protocol from the configuration using no fixup protocol.
SCCP (skinny) protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the firewall and interoperate with H.323 terminals.
To support SIP calls through the firewall, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Therefore, SIP is a text-based protocol and contains the IP addresses throughout the text. The packets are inspected and NAT is provided for the IP addresses.
If Call Manager (CM) is configured for NAT and outside phones register to it via TFTP, the connection will fail because firewall currently does not support NAT TFTP messages.
For additional information about the SIP protocol see RFC 2543. For additional information about the Session Description Protocol (SDP), see RFC 2327.
The following lists the default fixup protocol values.
cbos# show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol ftp
The FTP port can be changed; however if you change the default of port 21, to something like 2021, all FTP control connections must happen on port 2021. FTP control connections on port 21 will no longer work.
If you disable FTP fixup protocols with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
The port parameter allows you to specify the port at which the firewall listens for FTP traffic. Typically, this value is 21. In addition, the FTP port can now only be in the range of 1 to 1024.
fixup protocol h323
Provide support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting.
h323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. H.323 supports VoIP gateways and VoIP gatekeepers. H.323 version 2 adds the following functionality to the firewall:
- Fast Connect or Fast Start Procedure for faster call setup
- H.245 tunneling for resource conservation, call synchronization, and reduced set up time
fixup protocol http
If there is a no fixup protocol http command statement in the configuration, the filter url command does not work.
fixup protocol rtsp
The fixup protocol rtsp command lets firewall pass Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. firewall does not support multicast RTSP.
If you are using Cisco IP/TV, use TCP ports 554 and 8554:
fixup protocol rtsp 554 fixup protocol rtsp 8554The following restrictions apply to the fixup protocol rtsp command:
- This firewall will not fix RTSP messages passing through UDP ports.
- firewall does not support the RealNetwork's multicast mode (x-real-rdt/mcast).
- PAT is not supported with the fixup protocol rtsp command.
- firewall does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.
- firewall cannot perform NAT on RTSP messages because the embedded IP addresses are contained in the SDP files as part of HTTP or RTSP messages. Packets could be fragmented and firewall cannot perform NAT on fragmented packets.
- With Cisco IP/TV, the number of NATs the firewall performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).
- You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT if the Viewer and Content Manager are on the outside network and the server is on the inside network.
- When using RealPlayer, it is important to properly configure transport mode. For the firewall, add an access-list command statement from the server to the client or vice versa. For RealPlayer, change transport mode by clicking Options>Preferences>Transport>RTSP Settings.
If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the firewall, there is no need to configure the fixup.
If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes, and for live content not available via Multicast. On the firewall, run fixup protocol rtsp port .
fixup protocol sip
Enable SIP on the interface. SIP enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers.
Session Initiation Protocol (SIP), as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs:
SIP Session Initiation Protocol RFC 2543 SDP Session Description Protocol RFC 2327
fixup protocol smtp
Enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
The fixup protocol SMTP command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored.
fixup protocol sqlnet
The firewall uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.
Examples
You can add multiple port settings for each protocol with separate commands; for example:
fixup protocol ftp 21
fixup protocol ftp 4254
fixup protocol ftp 9090These commands cause firewall to listen to the standard FTP port of 21 but also to listen for FTP traffic at ports 4254 and 9090.
The following example enables access to an inside server running Mail Guard:
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255
access-list acl_out permit tcp host 209.165.201.1 eq SMTP any
access-group acl_out in interface outside
fixup protocol SMTP 25The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255
access-list acl_out permit tcp host 209.165.201.1 eq SMTP any
access-group acl_out in interface outside
no fixup protocol SMTP 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.