Solved

Fixup Protocol

Posted on 2006-06-22
12
1,908 Views
Last Modified: 2010-04-08
What exactly do these statements accomplish:

fixup protocol http 80
fixup protocol dns maximum-length 512

Is it is possible that these could cause issues with web browsing?
0
Comment
Question by:andreacadia
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16964001
fixup protocol modifies the original packet to accomodate changes done during NAT or PAT.

Read this page for detailed information on fixup.
http://www.netcraftsmen.net/welcher/papers/pix03.html
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16965456
the are part of a pix's basic IPS functionality. They don't necessarily change the contents of a packet, but do according to the static entries you setup on your pix (ftp and dns is a good example of this)

fixup protocol http 80
just makes sure that anything going over port 80 adheres to HTTP standards
fixup protocol dns maximum-length 512
does the same for dns
this is why the
fixup protocol smtp 25
is often taken out on pix's because Exchange doesn't follow standards and thus the mail inspection breaks the Exchange's ability to communicate thru the pix.

In reference to the changing of info in a packet. Say you have a web server on the inside.  A host is trying to connect to this server via its fqdn.  The fqdn is resolved by an outside dns server.  When that packet comes thru the pix, it knows the static entry says that the server's public IP is mapped to an internal one so it changes the IP within the dns udp packet before it gets delivered to the internal host.  Thus the internal host can connect to the server without issues and no internal dns server needs to be setup.
0
 

Author Comment

by:andreacadia
ID: 16965694
Cyclops: are you saying that the fixup for dns will allow inside hosts to resolve the internal web server by its FQDN?  This is also something that i am trying to get working.  currently, my inside hosts cannot access www.mycompany.com from inside as the url points to an IP on outside of PIX.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16966318
Fixup won't get that functionality for you but you can modify the static entries and get it done as below;

Say for web server you have something like this now;

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

Change the above to;

static (inside,outside) tcp x.x.x.x 222 y.y.y.y www dns netmask 255.255.255.255


Watch the 'dns' entry in there, it will make sure that any inside hosts searching for x.x.x.x will get translated to y.y.y.y (Pix modifies it so that the inside hosts can also use the FQDN).

Coming back to Fixup protocols;

1. Protocol standards measurements. This is part of application (limited) intelligence inbuilt into the firewall. By incorporating fixup's for various protocols, Pix knows what is legitimate about the packet and what should not be allowed etc.

Also another problem in normal firewall's are 'Nat Traversal'. When a packet comes to pix with natted address sometimes the payload also might contain the original private ip address (part of connection establishment). Now if that packet reaches the server, there will be a mismatch (source address is natted but original address is un-natted). This kind of stuff will be taken care by fixup. Hope this is clear.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16966321
oops, read the second static entry as below;

static (inside,outside) tcp x.x.x.x www y.y.y.y www dns netmask 255.255.255.255

there was a typo.

Cheers,
Rajesh
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16967885
Rajesh,

Thanks for clarifying that.  I reread what I posted and realize that I made it unclear as to what provides that functionality.

fixup altering packages: a good example would be passive ftp.  Since the internal ftp server would issue out its internal IP (thus the outside client wouldn't be able to connect), the fixup inspects the packet, sees that and changes the IP in the packet (to whatever that IP is translated to on the outside anyway)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:andreacadia
ID: 16968761
i use

static (inside,outside) <pub_ip> <priv_ip> dns netmask.....

i still cannot resolve internal web server by FQDN.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16969271
Why does www.mycompany.com resolves to outside address.

You should create a CNAME record with "www" in your internal DNS server and assign Internal IP address of your Web server.

Then, www.mycompany.com will resolves to internal IP address.

As, for your outside address(Public) it must be handled by the DNS Server of your ISP.

You must have purchased your Domain name from some thrid party. So authorotative name server for your domain on the internet will be the DNS server of the service provider.

If you have created a DNS entry in your internal DNS server, you can safely remove it, until and unless your Internal DNS server is also serving DNS requests from outside.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16969315
can you give your config (atleast the static and fixup section anyway).  Also, what version of OS are you running.
when you run
nslookup <server fqdn>
on the client in question what IP does it give, the public one?

also, after you did the static entry did you do
clear xlate
0
 

Author Comment

by:andreacadia
ID: 16969569
nslookup returns our IPS's dns server.  OS = Windows XP / Server 2003

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound_traffic permit tcp any interface outside eq 3389
access-list inbound_traffic permit tcp any interface outside eq 8800
access-list inbound_traffic permit tcp any interface outside eq 8801
access-list inbound_traffic permit tcp any interface outside eq 8802
access-list inbound_traffic permit tcp any interface outside eq 6881
access-list inbound_traffic permit icmp any any echo-reply
access-list inbound_traffic permit icmp any any
access-list inbound_traffic permit icmp any any echo
access-list inbound_traffic permit icmp any any time-exceeded
access-list inbound_traffic permit ip any host 65.65.65.65
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.66.66.66.66
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
.
.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.0.30 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8800 192.168.0.252 8800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8801 192.168.0.253 8801 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8802 192.168.0.230 8802 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 192.168.0.30 6881 netmask 255.255.255.255 0 0
static (inside,outside) 65.65.65.65 192.168.0.151 dns netmask 255.255.255.255 0 0
access-group inbound_traffic in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxx 1
.
.
.
.
.
: end
xxxxxxxxx#
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16969637
on the client do
ipconfig /flushdns
then
nslookup <server fqdn>
again.  just to make sure it wasn't grabbing that from cache.
0
 

Author Comment

by:andreacadia
ID: 16969758
after the clear xlate i am to resolve the web server.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now