
- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?

Advanced Protocol Handling 123
The following example shows how to define multiple ports for HTTP by entering separate commands:
fixup protocol http 8080 fixup protocol http 8888
These commands do not change the standard HTTP port assignment (80). After you enter these commands, the PIX listens for HTTP traffic on ports 80, 8080, and 8888. You can view the explicit (configurable) fixup protocol settings with the show fixup command, as shown in Example 7-9.
Example 7-10 Displaying Configurable fixup protocol Settings
Pixfirewall(config)# show fixup fixup protocol ftp 21
fixup protocol http 80 fixup protocol h323 h225 fixup protocol h323 ras 1 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 152 fixup protocol sip 5060 fixup protocol skinny 200 fixup protocol http 8080 fixup protocol http 8888
Advanced Protocol Handling
Some applications require special handling by the Cisco PIX Firewall application inspection function. These types of applications typically embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information.
In addition to identifying embedded addressing information, the application inspection function monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Multimedia applications and FTP applications exhibit this kind of behavior.
File Transfer Protocol (FTP)
The FTP application inspection inspects FTP sessions and performs four tasks:
•
•
Prepares a dynamic secondary data connection
Tracks the ftp command-response sequence

124 Chapter 7: Configuring Access
•
•
Generates an audit trail
NATs the embedded IP address
FTP application inspection prepares secondary channels for FTP data transfer. The channels are allocated in response to a file upload, a file download, or a directory listing event, and they must be prenegotiated. The port is negotiated through the PORT or PASV (227) commands.
You can use the fixup command to change the default port assignment for FTP. The command syntax is as follows:
[no] fixup protocol ftp [strict] [port]
The port option lets you configure the port at which the PIX listens for FTP traffic.
The strict option prevents web browsers from sending embedded commands in FTP requests. Each ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets the server generate the PASV reply command (227) and only lets the client generate the PORT command. The PASV reply and PORT commands are checked to ensure that they do not appear in an error string.
If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
Multimedia Support
The PIX supports several popular multimedia applications. Its application inspection function dynamically opens and closes UDP ports for secure multimedia connections. Supported multimedia applications include the following:
•
•
•
•
•
•
•
•
•
•
Microsoft Netshow
Microsoft Netmeeting
Intel Internet Video Phone
VDOnet VDOLive
RealNetworks RealAudio and RealVideo
VocalTech
White Pine Meeting Point
White Pine CuSeeMe
Xing StreamWorks
VXtreme WebTheatre

Foundation Summary 125
Foundation Summary
Inbound traffic that initiates from the outside is automatically denied access by default on the PIX. Rules have to be put in place to permit traffic to initiate from the outside to servers and subnet on the Cisco PIX Firewall. The rules are usually made up of a static nat command and access list. The static nat command identifies the subnet or host where traffic will be permitted to go to from the outside. Access lists are then configured to identify and permit the type of traffic to the subnet or host identified by the static command. The following is an example of rule that permits http traffic to be intitated from the outside to a webserver 10.1.2.39 on the inside interface of the PIX:
static(inside, outside) 192.168.1.12 10.1.2.39 netmask 255.255.255.255 access-list 120 permit tcp any host 192.168.1.12 eq www
access-group 120 in interface outside
TurboACL is a feature introduced with Cisco PIX Firewall OS version 6.2 that improves the average search time for access control lists(ACLs) containing a large number of entries. TurboACL feature is only applied to access lists with a minimum of 19 access list entries (ACE) to a maximum of 16000 ACE.
The object grouping feature enables you to group objects such as hosts (servers and clients), services, and networks, and apply security policies and rules to the group. The four types of object groups are:
•
•
•
•
Network
Protocol
Service
icmp-type
The PIX supports several popular multimedia applications. Its application inspection function dynamically opens and closes UDP ports for secure multimedia connections. Popular multimedia applications such as RealPlayer, Microsoft NetMeeting, and others are supported by the Cisco PIX Firewall.

126 Chapter 7: Configuring Access
Q&A
The questions in this section do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.
The answers to these questions can be found in Appendix A.
1What is the maximum number of access list entries in one access list that TurboACL supports?
A19
B2000
C16,000
D10
2What is the minimum number of access list entries needed in an access list for TurboACL to compile?
A4
B19
C16,000
DNo minimum is required
3Which of the following is not one of four options for object types when you create an object group?
ANetwork
BProtocol
CApplication
DServices
4True or false: By default, traffic initiated from the outside (external to the PIX) is allowed in through the PIX.

Q&A 127
5What command lets you create a network object group?
A object-group network group-id
B enable object-group network group-id
C create network object-group
D network object-group enable
6What command enables TurboACL globally on the PIX Firewall?
A turboacl global
B access-list compiled
C access-list turboacl
D You cannot enable TurboACL globally
7What is the minimum memory requirement for TurboACL to work?
A 8 MB
B 100 Kb
C 2.1 MB
D 4 MB

This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):
11. Syslog configuration