Professional Documents
Culture Documents
• SIP
• SQL
• Skinny
• RSH
• H.323
• RTSP
• Standard Mode FTP
• Passive Mode FTP
• DNS Guard
• Mail Guard
• Syslog
• SNMP
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-6
Advanced Protocols
fixup protocol sip port [-port] fixup protocol sqlnet port [-port]
connection (TCP).
– Server-initiated data connection
(TCP).
• For outbound connections, the PIX
Firewall handles standard mode
FTP as follows:
– It opens a temporary inbound
conduit for the data channel.
• For inbound connections, the PIX
Firewall handles standard mode
FTP as follows:
– If outbound traffic is allowed, no
special handling is required.
– If outbound traffic is not
allowed, it opens a temporary
outbound conduit for the data
channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-10
Passive Mode FTP
• Passive mode FTP uses two
channels:
– Client-initiated command
connection (TCP).
– Client-initiated data connection
(TCP).
• For outbound connections, the PIX
Firewall handles passive mode FTP
as follows:
– If outbound traffic is allowed,
no special handling is
required.
– If outbound traffic is not
allowed, it opens an outbound
port for the data channel.
• For inbound connections, the PIX
Firewall opens an inbound port for
the data channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-11
FTP Fix-Up Configuration
pixfirewall (config)#
fixup protocol ftp [strict] port [-port]
– Client-initiated command
connection (TCP).
– Server-initiated standard error
connection (TCP).
• For outbound connections, the PIX
Firewall opens an inbound port for
standard error output.
• For inbound connections, the PIX
Firewall handles remote shell as
follows:
– If outbound traffic is allowed,
no special handling is required.
– If outbound traffic is not
allowed, it opens the outbound
port for standard error output.
pixfirewall (config)#
fixup protocol rsh port [-port]
• Defines ports for rsh connections (default = 514)—
Dynamically opens a port for rsh standard error
connections
• If disabled:
– Outbound rsh will not work.
– Inbound rsh will work if conduit exists.
pixfirewall (config)#
pixfirewall (config)#
call signaling
• Supported in software versions 6.0
and higher
• Skinny protocol operates by
dynamically opening pinholes for
media sessions and Network
Address Translation (NAT) that has
embedded IP addresses
• SCCP supports IP telephony and
can coexist in an H.323
environment. An application layer
ensures that all SCCP signaling and
media packets can traverse the PIX
Firewall and interoperate with H.323
terminals.
• IP phone and a Cisco Call Manager
can now be placed on separate
sides of the PIX Firewall.
pixfirewall (config)#
pixfirewall (config)#
fixup protocol rtsp port [-port]
pixfirewall (config)#
• Cisco IP phones:
pixfirewall (config)#
pixfirewall (config)#
fragment timeout seconds [interface]
• Specifies the maximum number of seconds that the
PIX Firewall waits before discarding a packet that is
waiting to be reassembled.
pixfirewall (config)#
floodguard enable | disable
• Reclaims attacked or overused AAA resources
to help prevent DoS attacks on AAA services
(default = enabled).
pixfirewall(config)#
ip audit name audit_name attack [action [alarm] [drop] [reset]]
• Creates a policy for attack signatures.
pixfirewall(config)#
ip audit interface if_name audit_name
• Applies a policy to an interface.
pixfirewall(config)#
pixfirewall(config)#
ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for informational signatures.
pixfirewall(config)#
pixfirewall(config)#
shun src_ip [dst_ip sport dport [protocol]]
• Applies a blocking function to an interface under attack.
pixfirewall(config)# pixfirewall(config)#
pixfirewall(config)# pixfirewall(config)#
logging buffered level logging message syslog_id
• Sends Syslog messages to an • Enables a specific Syslog message.
internal buffer.
pixfirewall(config)# pixfirewall(config)#
show logging logging standby
• Displays messages from the • Allows a standby unit to send Syslog
internal buffer. messages.
pixfirewall(config)#
logging on
• Enables logging.
pixfirewall(config)#
logging host [in_if_name]
ip_address [protocol/port]
• Designates the Syslog host server.
pixfirewall(config)#
logging trap level
• Sets the logging level.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-53
Configure Message Output
to a Syslog Server (cont.)
pixfirewall(config)#
pixfirewall(config)#
logging timestamp
• Starts and stops sending
timestamped messages.
pixfirewall(config)#
snmp-server community key
• Configures the SNMP community string, a shared secret among the NMS and
the managed devices.
pixfirewall(config)#
snmp-server enable traps
• Enables sending log messages as SNMP trap notifications.
pixfirewall(config)# logging on
pixfirewall(config)# logging history debugging
pixfirewall(config)# snmp-server host inside 10.0.0.11
pixfirewall(config)# snmp-server community OURCOMMUNITY
pixfirewall(config)# snmp-server enable traps
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-58
SNMP Through the PIX Firewall