The fixup protocol Command
Feb 06,2010 00:00 by alperen

Application inspection is frequently referred to as fixup because the fixup protocol command can be used to configure the application inspection for many of the supported protocols. Note, other protocols are supported that don’t support configuration. The show fixup command displays the applications/protocols and their default port settings that use the fixup protocol command. These defined port numbers are the ones the PIX Firewall listens to for each respective service. The following output is the default fixup protocol commands enabled on a PIX Firewall version 6.2.

Pix(config)# show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
Pix(config)#

If necessary, the port numbers can be changed for each service, except rsh and sip. Remember, if a protocol like HTTP is set to use another port number, any connections established to that port number will be interpreted as if they’re HTTP data.

Using the fixup protocol Command

Use the configuration mode fixup protocol commands to change, enable, or disable the access of supported services or protocols through the PIX Firewall. The command is global and any changes apply to both inbound and outbound connections. The command can’t be restricted by any port address changes in static command statements. The basic syntax looks like the following, where protocol is limited to the 11 supported options in the preceding output.

Pix(config)# fixup protocol protocol [port_options]

The clear fixup command resets the fixup default settings, but it doesn’t remove the default fixup protocol commands. To disable a fixup for a specific protocol, use the no fixup protocol protocol command without any options. The no fixup protocol is stored in the configuration.

Changes made using the fixup command only affect future connection sessions. For any change to take effect immediately, you must use the clear xlate command to remove all existing application inspection entries.

The next pages look at the applications supported by the PIX Firewall application inspection features and a few examples of working with the fixup protocol commands. For more information, a search on fixup on the www.cisco.com site offers a wide selection of documents. Particularly for “hot” technologies such as VoIP, checking the latest documentation for the fixup protocol is always wise.