background image

 

 

Lab 12.1.7 Configure and Test Advanced Protocol Handling on the Cisco PIX 
Security Appliance 

Estimated Time: 20 minutes 

Number of Team Members: Two teams with four students per team 

Objective 

In this lab exercise, students will complete the following tasks: 

•  Display the fixup protocol configurations 
•  Change the fixup protocol configurations 
•  Test the outbound File Transfer Protocol (FTP) fixup protocol 
•  Test the inbound FTP fixup protocol 
•  Set the fixup protocols to the default settings 

Scenario 

Some applications embed addressing information into the application data stream and negotiate 
randomly picked Transport Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers 
or IP addresses. In these cases application aware inspection, fixup, must be performed. This is to 
ensure that only proper and expected traffic will be allowed through the filter inspection, in a secure 
manner. The fixup function on a PIX Security Appliance allows a network administrator to configure 
specific ports used by various applications. In this lab, students will configure fixup for FTP. 

1 - 

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

 

background image

Topology 

This figure illustrates the lab network environment. 

 

Preparation 

Begin with the standard lab topology and verify the standard configuration on the pod PIX Security 
Appliances. Access the PIX Security Appliance console port using the terminal emulator on the 
student PC. If desired, save the PIX Security Appliance configuration to a text file for later analysis. 

Tools and resources 

In order to complete the lab, the standard lab topology is required: 

•  Two pod PIX Security Appliances 
•  Two student PCs 
•  One SuperServer 
•  Backbone switch and one backbone router 
•  Two console cables 
•  HyperTerminal 

Additional materials 

Further information about the objectives covered in this lab can be found at, 

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/fixup.pdf

Additional information on configuring firewalls can be found in, Cisco Secure PIX Firewall” by David 
Chapman and Andy Fox (ISBN 1587050358). 

Command list 

In this lab exercise, the following commands will be used. Refer to this list if assistance or help is 
needed during the lab exercise. 

2 - 

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

 

background image

 

Command 

Description 

clear fixup 

Resets fixup protocol command statements to their 
default values. 

fixup protocol  

Modifies PIX Security Appliance protocol fixups to 
add, delete, or change services and feature defaults. 
Configuration mode. 

no fixup protocol  

Delete the PIX Security Appliance protocol fixups 
services. 

show fixup protocol  

Displays the port values for the individual protocol 
specified. 

 

Step 1 List the Fixup Protocols

 

Complete the following step and enter the command as directed to see the current configurations of 
the PIX Security Appliance: 

a.  List the fixup protocols that are running on the PIX Security Appliance: 

PixP(config)# show fixup protocol 

1.  Complete the table with the ports assigned to the fixup protocols: 

ftp 

 

http 

 

h323 h225 

 

h323 ras 

 

ils 

 

rsh 

 

rtsp 

 

smtp 

 

sqlnet 

 

sip 

 

skinny 

 

 

3 - 

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

 

background image

Step 2

 Disable the Fixup Protocols 

Complete the following steps and enter the commands as directed to change some of the current 
configurations of the PIX Security Appliance: 

a.  Disable the following fixup protocols: 

PixP(config)# no fixup protocol http 80 

PixP(config)# no fixup protocol smtp 25 

PixP(config)# no fixup protocol h323 h225 1720 

PixP(config)# no fixup protocol sqlnet 1521 

b.  Define a range of ports for SQL*Net connections: 

PixP(config)# fixup protocol sqlnet 66-76 

c.  Verify the fixup protocol settings using the show fixup protocol command: 

PixP(config)# show fixup protocol 

fixup protocol ftp 21 

fixup protocol h323 ras 1718-1719 

fixup protocol ils 389 

fixup protocol rsh 514 

fixup protocol rtsp 554 

fixup protocol sip 5060 

fixup protocol skinny 2000 

no fixup protocol http 80 

no fixup protocol smtp 25 

no fixup protocol h323 h225 1720 

fixup protocol sqlnet 66-76 

Step 3 Test the Outbound FTP Fixup Protocol 

Complete the following steps and enter the commands as directed to test the outbound FTP fixup 
protocol: 

a.  Enable console logging on the PIX Security Appliance: 

PixP(config)# logging console debug 

PixP(config)# logging on 

b.  FTP to the backbone server from the student PC using the Windows FTP client: 

C:\> ftp 172.26.26.50 

User (172.26.26.50:(none)): anonymous 

Password: user@ 

c.  Do a directory listing at the FTP prompt: 

ftp> dir 

2.  What logging messages were generated on the PIX Security Appliance console?  

_____________________________________________________________________________

 

 

4 - 

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

 

background image

d.  Quit the FTP session: 

ftp> quit 

e.  Turn off the FTP fixup protocol on the PIX Security Appliance: 

PixP(config)# no fixup protocol ftp 

f.  Again, FTP to the backbone server from the student PC using the Windows FTP client: 

C:\> ftp 172.26.26.50 

User (172.26.26.50:(none)): anonymous 

Password: user@ 

3.  Was logging into the server successful? Why or why not?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

 

g.  Do a directory listing at the FTP prompt: 

ftp> dir 

4.  Was the file listing displayed? Why or why not?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

h.  Quit the FTP session: 

ftp> quit 

i.  If the FTP client has stopped, press Ctrl + C to break back to the C:\ prompt or close the 

command prompt window. 

j.  FTP to the backbone server from the student PC using the web browser. To do this, enter the 

following in the URL field: 

ftp://172.26.26.50 

5.  Was the connection successful? Why or why not?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

 

6.  Was the file listing available? Why or why not?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

k.  Close the web browser. 

5 - 

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

 

background image

Step 4 Test the Inbound FTP Fixup Protocol

 

Complete the following steps and enter the commands as directed to test the inbound FTP fixup 
protocol: 

a.  Re-enable the FTP fixup protocol on the PIX Security Appliance: 

PixP(config)# fixup protocol ftp 21 

b.  FTP to a peer pod bastion host from the student PC using the web browser. To do this, enter the 

following in the URL field: 
ftp://192.168.Q.11 

(where Q = peer pod) 

The instructor assigns the peer pod number. 

7.  What logging messages were generated on the PIX Security Appliance console?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

c.  Close the web browser. 

d.  Turn off the FTP fixup protocol on the PIX Security Appliance: 

PixP(config)# no fixup protocol ftp 

e.  FTP to a peer pod bastion host from the student PC using the web browser. To do this, enter the 

following in the URL field: 
ftp://192.168.Q.11 

(where Q = peer pod) 

The instructor assigns the peer pod number. 

8.  Was the connection to the peer pod inside FTP server successful? Why or why not?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

9.  Was the file listing available? Why or why not?  

_____________________________________________________________________________

 

_____________________________________________________________________________

 

_____________________________________________________________________________

 

Step 5 Set All Fixups to the Factory Default

 

Complete the following steps and enter the commands as directed to set all fixups to the factory 
default: 

a.  Set all fixup protocols to the factory defaults: 

PixP(config)# clear fixup 

b.  Verify the fixup protocol settings: 

PixP(config)# show fixup protocol 

fixup protocol ftp 21 

fixup protocol http 80 

6 - 

7 Fundamentals of Network Security v 1.1 - Lab 12.1.7 Copyright  2003, Cisco Systems, Inc.

 

background image

fixup protocol h323 h225 1720 

fixup protocol h323 ras 1718-1719 

fixup protocol ils 389 

fixup protocol rsh 514 

fixup protocol rtsp 554 

fixup protocol smtp 25 

fixup protocol sqlnet 1521 

fixup protocol sip 5060 

fixup protocol skinny 2000 

7 - 7 

Fundamentals of Network Security v 1.1 - Lab 12.1.7 

Copyright 

 2003, Cisco Systems, Inc.