FTP

The default application inspection for FTP sessions performs the following four tasks:

• NATs any IP addresses embedded within the application payload

• Prepares dynamic secondary data connections for FTP data transfer

• Tracks FTP command-response sequence

• Generates a detailed audit trail

The following output shows the command syntax, plus an example of the Strict option and adding port 3021 for the PIX to listen to for FTP traffic. Our only concern is with the FTP listening ports because the PIX stateful inspection will dynamically prepare the data connection as needed.

Pix(config)# fixup protocol ftp [strict] [port]

Pix(config)#fixup protocol ftp strict 21
Pix(config)#fixup protocol ftp 3021

SMTP—Disabling Fixup Protocol Example

The Mail Guard feature provides safe access for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside e-mail server. Mail Guard allows a mail server to be safely deployed on the inside network, without the need for an external mail relay (or bastion host) system.

SMTP servers respond to client requests with numeric reply codes and optional human readable strings. The SMTP servers are vulnerable to mischief because of the simplicity of these messages and because some mail systems, such as Microsoft Exchange, don’t fully comply with RFC 821. Mail Guard enforces a safe minimal set of SMTP commands to avoid an SMTP server system from being compromised. Mail Guard performs the following three primary tasks:

• Restricts SMTP requests to seven commands included in RFC 821: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

• Monitors the SMTP command and response sequence looking for a series of common anomalous signatures. Unacceptable characters or commands are replaced by Xs, which are then rejected by the internal server.

• Generates a detailed audit trail by logging all SMTP connections.

The SMTP application inspection command syntax and an example of disabling the Mail Guard feature are as follows:

Pix(config)# fixup protocol smtp [port[-port]]

Pix(config)# no fixup protocol smtp 25

The pervasiveness of Exchange servers in the workplace is reason enough to be aware that Mail Guard could cause Exchange servers and Microsoft Outlook clients to have problems in communicating through a PIX Firewall. It might be necessary to disable the SMTP application inspection and use an access list instead.

The following example demonstrates disabling Mail Guard, while allowing outside access to the DMZ e-mail server. The static command assigns a global address to the server. The ACL let_in allows outside users access to the e-mail server global address via SMTP port (25). The DNS server needs to point to the 1.1.1.6 address, so mail can be sent to this address.

Voice over IP (VoIP)

VoIP involves using H.323 gateways to convert traditional voice analog traffic into IP data packets. The challenges of highly time-sensitive packets in a LAN environment are compounded exponentially when VoIP has to deal with firewalls and NAT. Fortunately, the PIX Firewall application-layer inspection (fixup) features smooth out most of these wrinkles across all the protocols.

• H.323

• Media Gateway Control Protocol (MGCP)

• Session Initiation Protocol (SIP)

• Skinny Client Control Protocol (SCCP)

• Real-Time Transport Protocol (RTP)

• RTP Control Protocol (RTCP)

This section looks at three protocol suites that provide or facilitate call signaling, call control, and media communications. Depending on the VoIP protocols used, the communications between the devices might use either one channel or many different channels. The channels are Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) ports used for the connections between two network devices.