Fixup Protocol

What exactly do these statements accomplish:

fixup protocol http 80
fixup protocol dns maximum-length 512

Is it is possible that these could cause issues with web browsing?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Cyclops3590Connect With a Mentor Commented:
the are part of a pix's basic IPS functionality. They don't necessarily change the contents of a packet, but do according to the static entries you setup on your pix (ftp and dns is a good example of this)

fixup protocol http 80
just makes sure that anything going over port 80 adheres to HTTP standards
fixup protocol dns maximum-length 512
does the same for dns
this is why the
fixup protocol smtp 25
is often taken out on pix's because Exchange doesn't follow standards and thus the mail inspection breaks the Exchange's ability to communicate thru the pix.

In reference to the changing of info in a packet. Say you have a web server on the inside.  A host is trying to connect to this server via its fqdn.  The fqdn is resolved by an outside dns server.  When that packet comes thru the pix, it knows the static entry says that the server's public IP is mapped to an internal one so it changes the IP within the dns udp packet before it gets delivered to the internal host.  Thus the internal host can connect to the server without issues and no internal dns server needs to be setup.
fixup protocol modifies the original packet to accomodate changes done during NAT or PAT.

Read this page for detailed information on fixup.
andreacadiaAuthor Commented:
Cyclops: are you saying that the fixup for dns will allow inside hosts to resolve the internal web server by its FQDN?  This is also something that i am trying to get working.  currently, my inside hosts cannot access from inside as the url points to an IP on outside of PIX.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Fixup won't get that functionality for you but you can modify the static entries and get it done as below;

Say for web server you have something like this now;

static (inside,outside) x.x.x.x y.y.y.y netmask

Change the above to;

static (inside,outside) tcp x.x.x.x 222 y.y.y.y www dns netmask

Watch the 'dns' entry in there, it will make sure that any inside hosts searching for x.x.x.x will get translated to y.y.y.y (Pix modifies it so that the inside hosts can also use the FQDN).

Coming back to Fixup protocols;

1. Protocol standards measurements. This is part of application (limited) intelligence inbuilt into the firewall. By incorporating fixup's for various protocols, Pix knows what is legitimate about the packet and what should not be allowed etc.

Also another problem in normal firewall's are 'Nat Traversal'. When a packet comes to pix with natted address sometimes the payload also might contain the original private ip address (part of connection establishment). Now if that packet reaches the server, there will be a mismatch (source address is natted but original address is un-natted). This kind of stuff will be taken care by fixup. Hope this is clear.

oops, read the second static entry as below;

static (inside,outside) tcp x.x.x.x www y.y.y.y www dns netmask

there was a typo.


Thanks for clarifying that.  I reread what I posted and realize that I made it unclear as to what provides that functionality.

fixup altering packages: a good example would be passive ftp.  Since the internal ftp server would issue out its internal IP (thus the outside client wouldn't be able to connect), the fixup inspects the packet, sees that and changes the IP in the packet (to whatever that IP is translated to on the outside anyway)
andreacadiaAuthor Commented:
i use

static (inside,outside) <pub_ip> <priv_ip> dns netmask.....

i still cannot resolve internal web server by FQDN.
Why does resolves to outside address.

You should create a CNAME record with "www" in your internal DNS server and assign Internal IP address of your Web server.

Then, will resolves to internal IP address.

As, for your outside address(Public) it must be handled by the DNS Server of your ISP.

You must have purchased your Domain name from some thrid party. So authorotative name server for your domain on the internet will be the DNS server of the service provider.

If you have created a DNS entry in your internal DNS server, you can safely remove it, until and unless your Internal DNS server is also serving DNS requests from outside.
can you give your config (atleast the static and fixup section anyway).  Also, what version of OS are you running.
when you run
nslookup <server fqdn>
on the client in question what IP does it give, the public one?

also, after you did the static entry did you do
clear xlate
andreacadiaAuthor Commented:
nslookup returns our IPS's dns server.  OS = Windows XP / Server 2003

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound_traffic permit tcp any interface outside eq 3389
access-list inbound_traffic permit tcp any interface outside eq 8800
access-list inbound_traffic permit tcp any interface outside eq 8801
access-list inbound_traffic permit tcp any interface outside eq 8802
access-list inbound_traffic permit tcp any interface outside eq 6881
access-list inbound_traffic permit icmp any any echo-reply
access-list inbound_traffic permit icmp any any
access-list inbound_traffic permit icmp any any echo
access-list inbound_traffic permit icmp any any time-exceeded
access-list inbound_traffic permit ip any host
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface 3389 3389 netmask 0 0
static (inside,outside) tcp interface 8800 8800 netmask 0 0
static (inside,outside) tcp interface 8801 8801 netmask 0 0
static (inside,outside) tcp interface 8802 8802 netmask 0 0
static (inside,outside) tcp interface 6881 6881 netmask 0 0
static (inside,outside) dns netmask 0 0
access-group inbound_traffic in interface outside
route outside xxxxxxxxxx 1
: end
on the client do
ipconfig /flushdns
nslookup <server fqdn>
again.  just to make sure it wasn't grabbing that from cache.
andreacadiaAuthor Commented:
after the clear xlate i am to resolve the web server.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.