andreacadia
asked on
Fixup Protocol
What exactly do these statements accomplish:
fixup protocol http 80
fixup protocol dns maximum-length 512
Is it is possible that these could cause issues with web browsing?
fixup protocol http 80
fixup protocol dns maximum-length 512
Is it is possible that these could cause issues with web browsing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cyclops: are you saying that the fixup for dns will allow inside hosts to resolve the internal web server by its FQDN? This is also something that i am trying to get working. currently, my inside hosts cannot access www.mycompany.com from inside as the url points to an IP on outside of PIX.
Fixup won't get that functionality for you but you can modify the static entries and get it done as below;
Say for web server you have something like this now;
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
Change the above to;
static (inside,outside) tcp x.x.x.x 222 y.y.y.y www dns netmask 255.255.255.255
Watch the 'dns' entry in there, it will make sure that any inside hosts searching for x.x.x.x will get translated to y.y.y.y (Pix modifies it so that the inside hosts can also use the FQDN).
Coming back to Fixup protocols;
1. Protocol standards measurements. This is part of application (limited) intelligence inbuilt into the firewall. By incorporating fixup's for various protocols, Pix knows what is legitimate about the packet and what should not be allowed etc.
Also another problem in normal firewall's are 'Nat Traversal'. When a packet comes to pix with natted address sometimes the payload also might contain the original private ip address (part of connection establishment). Now if that packet reaches the server, there will be a mismatch (source address is natted but original address is un-natted). This kind of stuff will be taken care by fixup. Hope this is clear.
Cheers,
Rajesh
Say for web server you have something like this now;
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
Change the above to;
static (inside,outside) tcp x.x.x.x 222 y.y.y.y www dns netmask 255.255.255.255
Watch the 'dns' entry in there, it will make sure that any inside hosts searching for x.x.x.x will get translated to y.y.y.y (Pix modifies it so that the inside hosts can also use the FQDN).
Coming back to Fixup protocols;
1. Protocol standards measurements. This is part of application (limited) intelligence inbuilt into the firewall. By incorporating fixup's for various protocols, Pix knows what is legitimate about the packet and what should not be allowed etc.
Also another problem in normal firewall's are 'Nat Traversal'. When a packet comes to pix with natted address sometimes the payload also might contain the original private ip address (part of connection establishment). Now if that packet reaches the server, there will be a mismatch (source address is natted but original address is un-natted). This kind of stuff will be taken care by fixup. Hope this is clear.
Cheers,
Rajesh
oops, read the second static entry as below;
static (inside,outside) tcp x.x.x.x www y.y.y.y www dns netmask 255.255.255.255
there was a typo.
Cheers,
Rajesh
static (inside,outside) tcp x.x.x.x www y.y.y.y www dns netmask 255.255.255.255
there was a typo.
Cheers,
Rajesh
Rajesh,
Thanks for clarifying that. I reread what I posted and realize that I made it unclear as to what provides that functionality.
fixup altering packages: a good example would be passive ftp. Since the internal ftp server would issue out its internal IP (thus the outside client wouldn't be able to connect), the fixup inspects the packet, sees that and changes the IP in the packet (to whatever that IP is translated to on the outside anyway)
Thanks for clarifying that. I reread what I posted and realize that I made it unclear as to what provides that functionality.
fixup altering packages: a good example would be passive ftp. Since the internal ftp server would issue out its internal IP (thus the outside client wouldn't be able to connect), the fixup inspects the packet, sees that and changes the IP in the packet (to whatever that IP is translated to on the outside anyway)
ASKER
i use
static (inside,outside) <pub_ip> <priv_ip> dns netmask.....
i still cannot resolve internal web server by FQDN.
static (inside,outside) <pub_ip> <priv_ip> dns netmask.....
i still cannot resolve internal web server by FQDN.
Why does www.mycompany.com resolves to outside address.
You should create a CNAME record with "www" in your internal DNS server and assign Internal IP address of your Web server.
Then, www.mycompany.com will resolves to internal IP address.
As, for your outside address(Public) it must be handled by the DNS Server of your ISP.
You must have purchased your Domain name from some thrid party. So authorotative name server for your domain on the internet will be the DNS server of the service provider.
If you have created a DNS entry in your internal DNS server, you can safely remove it, until and unless your Internal DNS server is also serving DNS requests from outside.
You should create a CNAME record with "www" in your internal DNS server and assign Internal IP address of your Web server.
Then, www.mycompany.com will resolves to internal IP address.
As, for your outside address(Public) it must be handled by the DNS Server of your ISP.
You must have purchased your Domain name from some thrid party. So authorotative name server for your domain on the internet will be the DNS server of the service provider.
If you have created a DNS entry in your internal DNS server, you can safely remove it, until and unless your Internal DNS server is also serving DNS requests from outside.
can you give your config (atleast the static and fixup section anyway). Also, what version of OS are you running.
when you run
nslookup <server fqdn>
on the client in question what IP does it give, the public one?
also, after you did the static entry did you do
clear xlate
when you run
nslookup <server fqdn>
on the client in question what IP does it give, the public one?
also, after you did the static entry did you do
clear xlate
ASKER
nslookup returns our IPS's dns server. OS = Windows XP / Server 2003
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound_traffic permit tcp any interface outside eq 3389
access-list inbound_traffic permit tcp any interface outside eq 8800
access-list inbound_traffic permit tcp any interface outside eq 8801
access-list inbound_traffic permit tcp any interface outside eq 8802
access-list inbound_traffic permit tcp any interface outside eq 6881
access-list inbound_traffic permit icmp any any echo-reply
access-list inbound_traffic permit icmp any any
access-list inbound_traffic permit icmp any any echo
access-list inbound_traffic permit icmp any any time-exceeded
access-list inbound_traffic permit ip any host 65.65.65.65
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.66.66.66.66
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
.
.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.0.30 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8800 192.168.0.252 8800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8801 192.168.0.253 8801 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8802 192.168.0.230 8802 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 192.168.0.30 6881 netmask 255.255.255.255 0 0
static (inside,outside) 65.65.65.65 192.168.0.151 dns netmask 255.255.255.255 0 0
access-group inbound_traffic in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxx 1
.
.
.
.
.
: end
xxxxxxxxx#
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound_traffic permit tcp any interface outside eq 3389
access-list inbound_traffic permit tcp any interface outside eq 8800
access-list inbound_traffic permit tcp any interface outside eq 8801
access-list inbound_traffic permit tcp any interface outside eq 8802
access-list inbound_traffic permit tcp any interface outside eq 6881
access-list inbound_traffic permit icmp any any echo-reply
access-list inbound_traffic permit icmp any any
access-list inbound_traffic permit icmp any any echo
access-list inbound_traffic permit icmp any any time-exceeded
access-list inbound_traffic permit ip any host 65.65.65.65
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.66.66.66.66
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
.
.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.0.30 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8800 192.168.0.252 8800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8801 192.168.0.253 8801 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8802 192.168.0.230 8802 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 192.168.0.30 6881 netmask 255.255.255.255 0 0
static (inside,outside) 65.65.65.65 192.168.0.151 dns netmask 255.255.255.255 0 0
access-group inbound_traffic in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxx 1
.
.
.
.
.
: end
xxxxxxxxx#
on the client do
ipconfig /flushdns
then
nslookup <server fqdn>
again. just to make sure it wasn't grabbing that from cache.
ipconfig /flushdns
then
nslookup <server fqdn>
again. just to make sure it wasn't grabbing that from cache.
ASKER
after the clear xlate i am to resolve the web server.
Read this page for detailed information on fixup.
http://www.netcraftsmen.net/welcher/papers/pix03.html