FNS10 Mod12

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—12-11
Module 12
PIX Advanced Protocols and Intrusion Detection
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-2

Learning Objectives
Upon completion of this chapter, you will be able to perform
For review only. Please do not distribute

the following tasks:

• Describe the fixup protocol command.
• Describe the need for advanced protocol handling.
• Describe how the PIX Firewall handles FTP, rsh, and SQL*Net
traffic.
• Configure FTP, rsh, and SQL*Net Fixup protocols.
• Describe the issues with multimedia applications.
• Describe how the PIX Firewall handles RTSP and H.323
multimedia protocols.
• Configure RTSP and H.323 fixup protocols.
• Describe how the PIX Firewall supports call handling sessions
and VoIP call signaling.

Learning Objectives (cont.)
Upon completion of this chapter, you will be able to perform

the following tasks:

• Name, describe, and configure the attack guards in the PIX
Firewall.
• Define intrusion detection.
• Describe signatures.
• Name and identify signature classes supported by the PIX
Firewall.
• Configure the PIX Firewall to use IDS signatures.
• Configure the PIX Firewall to shun.
• Configure the PIX Firewall to send Syslog messages to a Syslog
server.

Overview
This module introduces students to the PIX Firewall

advanced protocol recognition and Intrusion Detection

System (IDS) capabilities. The module begins with
advanced protocol handling, and how it may be tuned to
fit the PIX Firewall operation via a series of fixup
commands. The module moves on to discuss the
advanced protocols used for multimedia support
including real time streaming protocols. Finally, the
methods of intrusion detection are discussed next. The
system of intrusion detection signatures is examined,
and the methods of configuration for PIX Firewalls are
explained.

Key terms
• SIP
• SQL

• Skinny
• RSH
• H.323
• RTSP
• Standard Mode FTP
• Passive Mode FTP
• DNS Guard
• Mail Guard
• Syslog
• SNMP
Advanced Protocols

Need for Advanced Protocol Handling
• Some popular protocols or applications behave as follows:

– Negotiate connections to dynamically assigned source or

destination ports, or IP addresses.
– Embed source or destination port, or IP address information
above the network layer.
• A good firewall has to inspect packets above the network layer
and do the following as required by the protocol or application:
– Securely open and close negotiated ports or IP addresses
for legitimate client-server connections through the firewall.
– Use NAT-relevant instances of IP addresses inside a packet.
– Use PAT-relevant instances of ports inside a packet.
– Inspect packets for signs of malicious application misuse.

fixup Command
pixfirewall (config)# pixfirewall (config)#

fixup protocol ils port [-port] fixup protocol smtp port [-port]


fixup protocol skinny port [-port] fixup protocol h323 [h225 | ras] port [-port]
fixup protocol sip port [-port] fixup protocol sqlnet port [-port]

fixup protocol rsh port [-port] fixup protocol http port [-port]

fixup protocol rtsp port [-port] fixup protocol ftp [strict] port [-port]

show fixup [protocol protocol] no fixup protocol protocol [port[-port]]

Standard Mode FTP
• Standard mode FTP uses two
channels:
– Client-initiated command

connection (TCP).
– Server-initiated data connection
(TCP).
• For outbound connections, the PIX
Firewall handles standard mode
FTP as follows:
– It opens a temporary inbound
conduit for the data channel.
• For inbound connections, the PIX
Firewall handles standard mode
FTP as follows:
– If outbound traffic is allowed, no
special handling is required.
– If outbound traffic is not
allowed, it opens a temporary
outbound conduit for the data
channel.
Passive Mode FTP
• Passive mode FTP uses two
channels:

connection (TCP).
– Client-initiated data connection
(TCP).
Firewall handles passive mode FTP
as follows:
– If outbound traffic is allowed,
no special handling is
required.
allowed, it opens an outbound
port for the data channel.
Firewall opens an inbound port for
the data channel.
FTP Fix-Up Configuration
pixfirewall (config)#
fixup protocol ftp [strict] port [-port]

• Defines ports for FTP connections (default = 21).

• Performs NAT in packet payload.
• Dynamically creates conduits for FTP-DATA connections.
• Logs FTP commands (when Syslog is enabled).
• When disabled:
– Outbound standard FTP will not work.
– Outbound passive FTP will work if not explicitly disallowed.
– Inbound standard FTP will work if conduit exists.
– Inbound passive FTP will not work.
pixfirewall(config)# fixup protocol ftp 2021

pixfirewall(config)# no fixup protocol ftp 21

Remote Shell
• Remote shell uses two channels:

connection (TCP).
– Server-initiated standard error
connection (TCP).
Firewall opens an inbound port for
standard error output.
Firewall handles remote shell as
follows:
no special handling is required.
allowed, it opens the outbound
port for standard error output.

Rsh Fixup Configuration

fixup protocol rsh port [-port]
• Defines ports for rsh connections (default = 514)—
Dynamically opens a port for rsh standard error
connections
• If disabled:
– Outbound rsh will not work.
– Inbound rsh will work if conduit exists.
pixfirewall(config)# fixup protocol rsh 1540

pixfirewall(config)# no fixup protocol rsh

SQL*Net
• Initially the client connects to a

well known port on the server.

• The server may assign another

port or another host to serve the
client.
• For outbound connections, the
PIX Firewall handles SQL*Net
connections as follows:
no special handling is
required.
allowed, it opens an outbound
port for a redirected channel.
Firewall opens an inbound port
for a redirected channel.

SQL*Net Fixup Configuration

fixup protocol sqlnet port [-port]

• Defines ports for SQL*Net connections (default = 1521):
– Performs NAT in packet payload.
– Dynamically opens TCP port redirected client connection.
– Port 1521 is the default port used by Oracle—IANA-compliant
applications use port 66.
• If disabled:
– Outbound SQL*Net is allowed if not explicitly disallowed.
– Inbound SQL*Net is disallowed.
pixfirewall(config)# fixup protocol sqlnet 66

pixfirewall(config)# fixup protocol sqlnet 6666-6686
pixfirewall(config)# no fixup protocol sqlnet

SIP Fixup Configuration

fixup protocol sip port [-port]

• Enables SIP.
• Default port = 5060.
• Enables the PIX Firewall to support any SIP VoIP
gateways and VoIP proxies.
pixfirewall(config)# fixup protocol sip 5060

• SIP is enabled on port 5060.

Skinny
• Used by Cisco IP phones for VoIP

call signaling
• Supported in software versions 6.0
and higher
• Skinny protocol operates by
dynamically opening pinholes for
media sessions and Network
Address Translation (NAT) that has
embedded IP addresses
• SCCP supports IP telephony and
can coexist in an H.323
environment. An application layer
ensures that all SCCP signaling and
media packets can traverse the PIX
Firewall and interoperate with H.323
terminals.
• IP phone and a Cisco Call Manager
can now be placed on separate
sides of the PIX Firewall.

Skinny Fixup Configuration

fixup protocol skinny port [-port]

• Enables the SCCP (skinny) protocol.
• Dynamically opens pinholes for media sessions and
NAT-embedded IP addresses.
• Supports IP telephony.
• Can coexist in an H.323 environment.
• Default port is 2000.
pixfirewall(config)# fixup protocol skinny 2000

• Skinny is enabled on port 2000.

Multimedia Support

Why Multimedia Is an Issue
• Multimedia applications behave

in unique ways:

– Use dynamic ports.

– Transmit a request using
TCP and get responses in
UDP or TCP.
– Use the same port for
source and destination.
• The PIX Firewall:
– Dynamically opens and
closes conduits for secure
multimedia connections.
– Supports multimedia with or
without NAT.

Real-Time Streaming Protocol
• Real-Time audio and video • RTSP-TCP-only mode does not

delivery protocol uses one TCP require special handling by the

and two UDP channels. PIX Firewall.
• Transport options: • Supported applications:
– Real-Time Transport – Cisco IP/TV.
Protocol (RTP). – Apple QuickTime 4.
– Real Data Transport Protocol
– RealNetworks:
(RDT).
• Sync or resend channel: • RealAudio.
– Real-Time Control Protocol • RealPlayer.
(RTCP). • RealServer .
– UDP resend. • RDT Multicast is not
supported.

Standard RTP Mode
• In standard RTP mode, RTSP uses

the following three channels:

– Control connection (TCP).

– RTP data (simplex UDP).
– RTCP reports (duplex UDP).
Firewall opens inbound ports for
RTP data and RTCP reports.
Firewall handles standard RTP mode
as follows:
– If outbound traffic is allowed, no
special handling is required.
– If outbound traffic is not allowed,
it opens outbound ports for RTP
and RTCP.

RealNetworks’ RDT Mode
• In RealNetworks’ RDT mode, RTSP uses the

following three channels:

– Control connection (TCP).

– UDP data (simplex UDP).
– UDP resend (simplex UDP).
• For outbound connections, the PIX Firewall
handles RealNetworks’ RDT mode as
follows:
– If outbound traffic is allowed, it opens
an inbound port for UDP data.
– If outbound traffic is not allowed, it
opens an inbound port for UDP data
and an outbound port for UDP resend.
• For inbound connections, the PIX Firewall
handles RealNetworks’ RDT mode as
follows:
– If outbound traffic is allowed, it opens
an inbound port for UDP resend.
– If outbound traffic is not allowed, it
opens an outbound port for UDP data
and an inbound port for UDP resend.
RTSP Fixup Configuration
fixup protocol rtsp port [-port]

• Defines ports for RTSP connections:

– No RTSP fixup is enabled by default (RFC2326 port is
554).
– RTSP dynamically opens UDP connections as required
by the RTSP transport.
– PAT and dual NAT are not currently supported.
• If disabled:
– UDP transport modes are disallowed.
– TCP transport modes are allowed (TCP connection
rules apply).
pixfirewall(config)# fixup protocol rtsp 554

pixfirewall(config)# no fixup protocol rtsp
H.323
• Real-time multimedia • Supported H.323 versions:

communications delivery – H.323 v1.

specification uses two TCP and

several UDP sessions for a – H.323 v2 (software versions
single “call”. 5.2 and higher).
• H.323 protocols and standards: • Supported applications:
– H.225—Registration, – Cisco Multimedia
Admission, and Status Conference Manager.
(RAS). – Microsoft NetMeeting.
– H.225—Call Signaling. – Intel Video Phone.
– H.245—Control Signaling. – CUseeMe Networks:
– TPKT Header. • MeetingPoint.
– Q.931 Messages. • CUseeMe Pro.
– Abstract Syntax Notation – VocalTec:
(ASN.1) (PIX Firewall 5.2).
• Internet Phone.
• Gatekeeper.
Configuring H.323 Fixup

fixup protocol h323 [h255 | ras] port [-port]

• Defines ports for H.323 connections (default = 1720).
• Performs NAT in H.323 messages as required.
• Dynamically opens TCP and UDP connections as required.
• Supports PAT.
• If disabled, H.323 applications are disallowed.
pixfirewall(config)# fixup protocol h323 1720

pixfirewall(config)# fixup protocol h323 7720-7740
pixfirewall(config)# no fixup protocol h323

Cisco IP Phones and the PIX
Firewall’s DHCP Server
• Cisco IP phones:

– Download their configurations from a TFTP server.

– Request an IP address and the IP address of a TFTP
server from a DHCP server.
• The PIX Firewall:
– Supports DHCP option 150 for providing the IP
addresses of a list of TFTP servers.
– Supports DHCP option 66 for providing the IP address
of a single TFTP server.

Attack Guards

Mail Guard
• Provides a safe conduit for Simple
Mail Transfer Protocol (SMTP)

•
The following are the

connections from the outside to an commands allowed for a
inside e-mail server mail server:
• Enables administrators to deploy a – HELO
mail server within the internal – MAIL
network, without it being exposed to – RCPT
known security problems that exist – DATA
within some mail server – RSET
implementations – NOOP
– QUIT
• Only the SMTP commands specified
in RFC 821 section 4.5.1 are allowed
to a mail server
• By default, the Cisco Secure PIX
Firewall inspects port 25 connections
for SMTP traffic
• SMTP servers using ports other than
port 25 must use the fixup protocol
smtp command

Mail Guard

fixup protocol smtp port [-port]

• Defines ports on which to activate Mail Guard (default = 25)—Only
allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT,
DATA, RSET, NOOP, and QUIT.
• If disabled, all SMTP commands are allowed through the firewall—
Potential mail server vulnerabilities are exposed.
pixfirewall(config)# fixup protocol smtp 2525

pixfirewall(config)# fixup protocol smtp 2625-2635
pixfirewall(config)# no fixup protocol smtp 25

DNS Guard
• DNS Guard is always on.

• After the client does a DNS

request, a dynamic conduit
allows UDP packets to
return from the DNS server.
The default UDP timer
expires in two minutes.
• The DNS server response is
recognized by the firewall,
which closes the dynamic
UDP conduit immediately.
The PIX Firewall does not
wait for the UDP timer to
expire.

FragGuard and Virtual Re-assembly
The FragGuard and Virtual Re-assembly feature

has the following characteristics:

• Is on by default.
• Verifies each fragment set for integrity and completeness.
• Tags each fragment in a fragment set with the transport
header.
• Performs full reassembly of all ICMP error messages and
virtual reassembly of the remaining IP fragments that are
routed through the PIX Firewall.
• Uses Syslog to log fragment overlapping and small
fragment offset anomalies.

fragment Command
fragment size database-limit [interface]

• Sets the maximum number of packets in the fragment

database.
fragment chain chain-limit [interface]
• Specifies the maximum number of packets into which
a full IP packet can be fragmented.
fragment timeout seconds [interface]
• Specifies the maximum number of seconds that the
PIX Firewall waits before discarding a packet that is
waiting to be reassembled.
pixfirewall(config)# fragment size 1

pixfirewall(config)# fragment chain 1
AAA Flood Guard

floodguard enable | disable
• Reclaims attacked or overused AAA resources
to help prevent DoS attacks on AAA services
(default = enabled).
pixfirewall(config)# floodguard enable

SYN Flood Attack

• The attacker spoofs a

nonexistent source IP address
and floods the
target with SYN packets.
• The target responds to the SYN
packets by sending SYN-ACK
packets to the spoofed hosts.
• The target overflows its port
buffer with embryonic
connections and stops
responding to legitimate
requests.

SYN Flood Guard Configuration
static [(prenat_interface, postnat_interface)]

mapped_address | interface real_address [dns][netmask

mask][norandomseq][connection_limit [em_limit]]
• For inbound connections:
– Use the em_limit to limit the number of embryonic connections.
– Set the limit to a number lower than the server can handle.
nat [(if-name)]id address [netmask [outside] [dns]
[norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]
• For outbound connections:
– Use the em_limit to limit the number of embryonic connections.
– Set the limit to a number lower than the server can handle.
pixfirewall(config)# nat (inside) 1 0 0 0 10000

pixfirewall(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 1000
TCP Intercept

pixfirewall(config)# static (inside,outside) 192.168.0.10

10.0.0.11 netmask 255.255.255.255 1000 100

Intrusion Detection

Intrusion Detection

• Ability to detect attacks

against networks
• Three types of network
attacks:
– Reconnaissance
– Access
– Denial of service

Signatures

A signature is a set of rules pertaining to typical intrusion

activity that, when matched, generates a unique response.
The following signature classes are supported by the PIX
Firewall:
• Informational—Triggers on normal network activity that in
itself is not considered to be malicious, but can be used to
determine the validity of an attack or for forensic purposes.
• Attack—Triggers on an activity known to be, or that could
lead to, unauthorized data retrieval, system access, or
privileged escalation.
Intrusion Detection in the PIX Firewall


Configure IDS
pixfirewall(config)#
ip audit name audit_name info [action [alarm] [drop] [reset]]

• Creates a policy for informational signatures.
ip audit name audit_name attack [action [alarm] [drop] [reset]]
• Creates a policy for attack signatures.
ip audit interface if_name audit_name
• Applies a policy to an interface.
pixfirewall(config)# ip audit name ATTACKPOLICY attack action

alarm reset
pixfirewall(config)# ip audit interface outside ATTACKPOLICY
• When the PIX Firewall detects an attack signature on its outside interface, it reports
an event to all configured Syslog servers, drops the offending packet, and closes the
connection if it is part of an active connection.
Specify Default
Actions for Signatures

ip audit attack [action [alarm] [drop] [reset]]

• Specifies the default actions for attack signatures.
ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for informational signatures.
pixfirewall(config)# ip audit info action alarm drop

• When the PIX Firewall detects an info signature, it reports an
event to all configured Syslog servers and drops the offending
packet.

Disable Intrusion
Detection Signatures

ip audit signature signature_number

disable
• Excludes a signature from auditing.
pixfirewall(config)# ip audit signature

6102 disable
• Disables signature 6102.

Shunning

shun Command

shun src_ip [dst_ip sport dport [protocol]]
• Applies a blocking function to an interface under attack.
pixfirewall(config)# shun 172.26.26.45

• No further traffic from 172.26.26.45 is allowed.

Shunning an Attacker

pixfirewall(config)# shun 172.26.26.45

192.168.0.10 4000 53

Syslog Configuration

Configure Syslog Output
to a Syslog Server


Syslog Messages

The PIX Firewall sends Syslog

messages to document the
following events:
• Security
• Resources
• System
• Accounting

Configure Message Output
to the PIX Firewall Buffer
pixfirewall(config)# pixfirewall(config)#

logging on clear logging

• Enables logging. • Clears the internal buffer.
logging buffered level logging message syslog_id
• Sends Syslog messages to an • Enables a specific Syslog message.
internal buffer.
show logging logging standby
• Displays messages from the • Allows a standby unit to send Syslog
internal buffer. messages.

to a Syslog Server
logging on

• Enables logging.
logging host [in_if_name]
ip_address [protocol/port]
• Designates the Syslog host server.
logging trap level
• Sets the logging level.
to a Syslog Server (cont.)

logging facility facility

• Sets the facility marked on all
messages.
logging timestamp
• Starts and stops sending
timestamped messages.

SNMP

SNMP Overview
• SNMP facilitates the exchange of
management information between network
devices

• Devices managed by SNMP send information

to a management server from which an
administrator manages and monitors the
device
• SNMP can be used to monitor system events
on the PIX Firewall.
• For security reasons, information on the PIX
Firewall cannot be changed with SNMP.
• SNTP can be enabled through the PIX Firewall
so that any device can be managed and
monitored by a management server on a PIX
Firewall interface other than that on which it
resides.
• SNMP is a request and response protocol. The
following SNMP operations rely on
Management Information Bases (MIBs)

MIB Support

The Cisco Firewall MIB, Cisco Memory Pool MIB, and

Cisco Process MIB provide the following PIX Firewall
information through SNMP:
• Buffer use from the show block command.
• Connection count from the show conn command.
• CPU use through the show cpu usage command.
• Failover status.
• Memory use from the show memory command.

SNMP to the PIX Firewall
snmp-server host [if_name] ip_addr [trap | poll]

• Identifies the management station.
snmp-server community key
• Configures the SNMP community string, a shared secret among the NMS and
the managed devices.
snmp-server enable traps
• Enables sending log messages as SNMP trap notifications.
pixfirewall(config)# logging on
pixfirewall(config)# logging history debugging
pixfirewall(config)# snmp-server host inside 10.0.0.11
pixfirewall(config)# snmp-server community OURCOMMUNITY
pixfirewall(config)# snmp-server enable traps
SNMP Through the PIX Firewall

pixfirewall(config)# static pixfirewall(config)# static

(inside,outside) 192.168.0.10 (inside,outside) 192.168.0.10
10.0.0.11 netmask 255.255.255.255 10.0.0.11 netmask 255.255.255.255
pixfirewall(config)# access-list TRAPSIN pixfirewall(config)# access-list POLLIN
permit udp host 192.168.0.19 host permit udp host 192.168.0.19 host
192.168.0.10 eq snmptrap 192.168.0.10 eq snmp
pixfirewall(config)# access-group TRAPSIN pixfirewall(config)# access-group POLLIN
in interface outside in interface outside

Summary

Summary

• The fixup command enables you to view, change, enable, or

disable the use of a service or protocol.
• The PIX Firewall uses special handling for the following
advanced protocols: FTP, rsh, and SQL*Net.
• The PIX Firewall handles the following multimedia protocols:
RTSP and H.323.
• The PIX Firewall’s SIP fixup supports call handling sessions.
• The PIX Firewall’s skinny fixup supports VoIP call signaling.
• You can change the port value for each protocol including the
multimedia protocols; however, you should not change the port
values for rsh and SIP.

Summary (cont.)
• The PIX Firewall has the following attack guards to

help protect systems from malicious attacks: Mail

Guard, DNS Guard, Fragmentation Guard, AAA Flood
Guard, and SYN Flood Defender.
• PIX Firewall software versions 5.2 and higher
support intrusion detection.
• Intrusion detection is the ability to detect attacks
against a network, including the following:
reconnaissance, access, and DoS.
• The PIX Firewall supports signature-based intrusion
detection.

Summary (cont.)

• Each signature can generate a unique alarm and

response.
• Informational signatures collect information to help
determine the validity of an attack, or for forensics.
• Attack signatures trigger on an activity known to be, or
that could lead to, unauthorized data retrieval, system
access, or privileged escalation.
• The PIX Firewall can be configured to shun source
address of attacking hosts.
• The PIX Firewall can send Syslog messages to a Syslog
server.

© 2003, Cisco Systems, Inc. All rights reserved. 64

FNS10 Mod12

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FNS10 Mod12

Uploaded by

Copyright:

Available Formats

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

PIX Advanced Protocols and Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-2

Upon completion of this chapter, you will be able to perform

For review only. Please do not distribute

the following tasks:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-3

Upon completion of this chapter, you will be able to perform

For review only. Please do not distribute

the following tasks:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-4

This module introduces students to the PIX Firewall

For review only. Please do not distribute

advanced protocol recognition and Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-5

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-7

• Some popular protocols or applications behave as follows:

For review only. Please do not distribute

– Negotiate connections to dynamically assigned source or

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-8

pixfirewall (config)# pixfirewall (config)#

For review only. Please do not distribute

pixfirewall (config)# pixfirewall (config)#

pixfirewall (config)# pixfirewall (config)#

pixfirewall (config)# pixfirewall (config)#

pixfirewall (config)# pixfirewall (config)#

pixfirewall (config)# pixfirewall (config)#

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-9

For review only. Please do not distribute

For review only. Please do not distribute

For review only. Please do not distribute

• Defines ports for FTP connections (default = 21).

pixfirewall(config)# fixup protocol ftp 2021

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-12

• Remote shell uses two channels:

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-13

For review only. Please do not distribute

pixfirewall(config)# fixup protocol rsh 1540

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-14

• Initially the client connects to a

For review only. Please do not distribute

• The server may assign another

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-15

For review only. Please do not distribute

fixup protocol sqlnet port [-port]

pixfirewall(config)# fixup protocol sqlnet 66

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-16

For review only. Please do not distribute

fixup protocol sip port [-port]

pixfirewall(config)# fixup protocol sip 5060

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-17

• Used by Cisco IP phones for VoIP

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-18

For review only. Please do not distribute

fixup protocol skinny port [-port]

pixfirewall(config)# fixup protocol skinny 2000

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-19