Lab 12.1.7 Configure and Test Advanced Protocol Handling on the Cisco PIX
Security Appliance

Estimated Time: 20 minutes

Number of Team Members: Two teams with four students per team

Objective

In this lab exercise, students will complete the following tasks:

• Display the fixup protocol configurations
• Change the fixup protocol configurations
• Test the outbound File Transfer Protocol (FTP) fixup protocol
• Test the inbound FTP fixup protocol
• Set the fixup protocols to the default settings

Scenario

Some applications embed addressing information into the application data stream and negotiate
randomly picked Transport Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers
or IP addresses. In these cases application aware inspection, fixup, must be performed. This is to
ensure that only proper and expected traffic will be allowed through the filter inspection, in a secure
manner. The fixup function on a PIX Security Appliance allows a network administrator to configure
specific ports used by various applications. In this lab, students will configure fixup for FTP.

1 -

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

Topology

This figure illustrates the lab network environment.

Preparation

Begin with the standard lab topology and verify the standard configuration on the pod PIX Security
Appliances. Access the PIX Security Appliance console port using the terminal emulator on the
student PC. If desired, save the PIX Security Appliance configuration to a text file for later analysis.

Tools and resources

In order to complete the lab, the standard lab topology is required:

• Two pod PIX Security Appliances
• Two student PCs
• One SuperServer
• Backbone switch and one backbone router
• Two console cables
• HyperTerminal

Additional materials

Further information about the objectives covered in this lab can be found at,

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/fixup.pdf

.

Additional information on configuring firewalls can be found in, Cisco Secure PIX Firewall” by David
Chapman and Andy Fox (ISBN 1587050358).

Command list

In this lab exercise, the following commands will be used. Refer to this list if assistance or help is
needed during the lab exercise.

2 -

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

Command

Description

clear fixup

Resets fixup protocol command statements to their
default values.

fixup protocol

Modifies PIX Security Appliance protocol fixups to
add, delete, or change services and feature defaults.
Configuration mode.

no fixup protocol

Delete the PIX Security Appliance protocol fixups
services.

show fixup protocol

Displays the port values for the individual protocol
specified.

Step 1 List the Fixup Protocols

Complete the following step and enter the command as directed to see the current configurations of
the PIX Security Appliance:

a. List the fixup protocols that are running on the PIX Security Appliance:

PixP(config)# show fixup protocol

1. Complete the table with the ports assigned to the fixup protocols:

ftp

http

h323 h225

h323 ras

ils

rsh

rtsp

smtp

sqlnet

sip

skinny

3 -

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

Step 2

Disable the Fixup Protocols

Complete the following steps and enter the commands as directed to change some of the current
configurations of the PIX Security Appliance:

a. Disable the following fixup protocols:

PixP(config)# no fixup protocol http 80

PixP(config)# no fixup protocol smtp 25

PixP(config)# no fixup protocol h323 h225 1720

PixP(config)# no fixup protocol sqlnet 1521

b. Define a range of ports for SQL*Net connections:

PixP(config)# fixup protocol sqlnet 66-76

c. Verify the fixup protocol settings using the show fixup protocol command:

PixP(config)# show fixup protocol

fixup protocol ftp 21

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol http 80

no fixup protocol smtp 25

no fixup protocol h323 h225 1720

fixup protocol sqlnet 66-76

Step 3 Test the Outbound FTP Fixup Protocol

Complete the following steps and enter the commands as directed to test the outbound FTP fixup
protocol:

a. Enable console logging on the PIX Security Appliance:

PixP(config)# logging console debug

PixP(config)# logging on

b. FTP to the backbone server from the student PC using the Windows FTP client:

C:\> ftp 172.26.26.50

User (172.26.26.50:(none)): anonymous

Password: user@

c. Do a directory listing at the FTP prompt:

ftp> dir

2. What logging messages were generated on the PIX Security Appliance console?

_____________________________________________________________________________

4 -

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

d. Quit the FTP session:

ftp> quit

e. Turn off the FTP fixup protocol on the PIX Security Appliance:

PixP(config)# no fixup protocol ftp

f. Again, FTP to the backbone server from the student PC using the Windows FTP client:

C:\> ftp 172.26.26.50

User (172.26.26.50:(none)): anonymous

Password: user@

3. Was logging into the server successful? Why or why not?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

g. Do a directory listing at the FTP prompt:

ftp> dir

4. Was the file listing displayed? Why or why not?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

h. Quit the FTP session:

ftp> quit

i. If the FTP client has stopped, press Ctrl + C to break back to the C:\ prompt or close the

command prompt window.

j. FTP to the backbone server from the student PC using the web browser. To do this, enter the

following in the URL field:

ftp://172.26.26.50

5. Was the connection successful? Why or why not?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

6. Was the file listing available? Why or why not?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

k. Close the web browser.

5 -

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

Step 4 Test the Inbound FTP Fixup Protocol

Complete the following steps and enter the commands as directed to test the inbound FTP fixup
protocol:

a. Re-enable the FTP fixup protocol on the PIX Security Appliance:

PixP(config)# fixup protocol ftp 21

b. FTP to a peer pod bastion host from the student PC using the web browser. To do this, enter the

following in the URL field:
ftp://192.168.Q.11

(where Q = peer pod)

The instructor assigns the peer pod number.

7. What logging messages were generated on the PIX Security Appliance console?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

c. Close the web browser.

d. Turn off the FTP fixup protocol on the PIX Security Appliance:

PixP(config)# no fixup protocol ftp

e. FTP to a peer pod bastion host from the student PC using the web browser. To do this, enter the

following in the URL field:
ftp://192.168.Q.11

(where Q = peer pod)

The instructor assigns the peer pod number.

8. Was the connection to the peer pod inside FTP server successful? Why or why not?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

9. Was the file listing available? Why or why not?

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

Step 5 Set All Fixups to the Factory Default

Complete the following steps and enter the commands as directed to set all fixups to the factory
default:

a. Set all fixup protocols to the factory defaults:

PixP(config)# clear fixup

b. Verify the fixup protocol settings:

PixP(config)# show fixup protocol

fixup protocol ftp 21

fixup protocol http 80

6 -

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

7 - 7

Fundamentals of Network Security v 1.1 - Lab 12.1.7

Copyright

 2003, Cisco Systems, Inc.