Advanced Protocol Handling 123

The following example shows how to define multiple ports for HTTP by entering separate commands:

fixup protocol http 8080 fixup protocol http 8888

These commands do not change the standard HTTP port assignment (80). After you enter these commands, the PIX listens for HTTP traffic on ports 80, 8080, and 8888. You can view the explicit (configurable) fixup protocol settings with the show fixup command, as shown in Example 7-9.

Example 7-10 Displaying Configurable fixup protocol Settings

Pixfirewall(config)# show fixup fixup protocol ftp 21

fixup protocol http 80 fixup protocol h323 h225 fixup protocol h323 ras 1 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 152 fixup protocol sip 5060 fixup protocol skinny 200 fixup protocol http 8080 fixup protocol http 8888

Advanced Protocol Handling

Some applications require special handling by the Cisco PIX Firewall application inspection function. These types of applications typically embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information.

In addition to identifying embedded addressing information, the application inspection function monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Multimedia applications and FTP applications exhibit this kind of behavior.

File Transfer Protocol (FTP)

The FTP application inspection inspects FTP sessions and performs four tasks:

124 Chapter 7: Configuring Access

FTP application inspection prepares secondary channels for FTP data transfer. The channels are allocated in response to a file upload, a file download, or a directory listing event, and they must be prenegotiated. The port is negotiated through the PORT or PASV (227) commands.

You can use the fixup command to change the default port assignment for FTP. The command syntax is as follows:

[no] fixup protocol ftp [strict] [port]

The port option lets you configure the port at which the PIX listens for FTP traffic.

The strict option prevents web browsers from sending embedded commands in FTP requests. Each ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets the server generate the PASV reply command (227) and only lets the client generate the PORT command. The PASV reply and PORT commands are checked to ensure that they do not appear in an error string.

If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

Multimedia Support

The PIX supports several popular multimedia applications. Its application inspection function dynamically opens and closes UDP ports for secure multimedia connections. Supported multimedia applications include the following:

Foundation Summary 125

Foundation Summary

Inbound traffic that initiates from the outside is automatically denied access by default on the PIX. Rules have to be put in place to permit traffic to initiate from the outside to servers and subnet on the Cisco PIX Firewall. The rules are usually made up of a static nat command and access list. The static nat command identifies the subnet or host where traffic will be permitted to go to from the outside. Access lists are then configured to identify and permit the type of traffic to the subnet or host identified by the static command. The following is an example of rule that permits http traffic to be intitated from the outside to a webserver 10.1.2.39 on the inside interface of the PIX:

static(inside, outside) 192.168.1.12 10.1.2.39 netmask 255.255.255.255 access-list 120 permit tcp any host 192.168.1.12 eq www

access-group 120 in interface outside

TurboACL is a feature introduced with Cisco PIX Firewall OS version 6.2 that improves the average search time for access control lists(ACLs) containing a large number of entries. TurboACL feature is only applied to access lists with a minimum of 19 access list entries (ACE) to a maximum of 16000 ACE.

The object grouping feature enables you to group objects such as hosts (servers and clients), services, and networks, and apply security policies and rules to the group. The four types of object groups are:

The PIX supports several popular multimedia applications. Its application inspection function dynamically opens and closes UDP ports for secure multimedia connections. Popular multimedia applications such as RealPlayer, Microsoft NetMeeting, and others are supported by the Cisco PIX Firewall.

126 Chapter 7: Configuring Access

Q&A

The questions in this section do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.

The answers to these questions can be found in Appendix A.

1What is the maximum number of access list entries in one access list that TurboACL supports?

A19

B2000

C16,000

D10

2What is the minimum number of access list entries needed in an access list for TurboACL to compile?

A4

B19

C16,000

DNo minimum is required

3Which of the following is not one of four options for object types when you create an object group?

ANetwork

BProtocol

CApplication

DServices

4True or false: By default, traffic initiated from the outside (external to the PIX) is allowed in through the PIX.