topic Re: pix fixup protocol in Network Security

pix fixup protocol

lcaruso — Mon, 11 Mar 2019 19:51:16 GMT

Hi,

I only have experience with ASAs and only recent code at that. I have a PIX506 running 6.3(4) that I will replace with an ASA.

Can please tell me what these fixup statements do (do they just turn a protocol on)?

fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

Also what is pdm (forerunner of ASDM)?

pdm location 192.168.253.0 255.255.255.0 inside
pdm location 192.168.254.1 255.255.255.255 inside
pdm location 192.168.254.4 255.255.255.255 inside
pdm logging informational 100
pdm history enable

Also what is floodguard?

floodguard enable

Also what does this sysopt statment do?

sysopt connection permit-ips

Re: pix fixup protocol

Jennifer Halim — Wed, 16 Feb 2011 03:27:03 GMT

1) Fixup is the old way of configuring inspection. With ASA, all the fixup is replaced with MPF (Modular Policy Framework) - ie: policy map with class map and "inspect".

2) PDM is the old version of ASDM

3) Here is explaination on floodguard:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1029632

And "floodguard" has been deprecated in ASA.

4) "sysopt connection permit-ipsec" is the same as the current command on ASA. I think you are missing the last 2 letters in that command.

Here is a migration from PIX to ASA guide that might help:

http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html

Hope that answers your questions.

Re: pix fixup protocol

lcaruso — Wed, 16 Feb 2011 03:30:41 GMT

Thanks Jennifer--I appreciate your help!

Re: pix fixup protocol

lcaruso — Wed, 16 Feb 2011 03:33:50 GMT

One last question if I may be so lucky...it seems everything is here for site-to-site vpn execpt a peer address.

I see the remote vpn statements, but it also looks like someone may have wanted to setup a site-to-site tunnel but didn't complete the configuration.

Have I interpreted this correctly, or is there a complete config for a site-to-site tunnel in there? Thanks.

crypto ipsec transform-set clientname esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set clientname
crypto map clientname_map 10 ipsec-isakmp dynamic dynmap
crypto map clientname_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 211offsite address-pool VPNpool
vpngroup 211offsite dns-server 192.168.254.9 192.168.254.8
vpngroup 211offsite wins-server 192.168.254.254
vpngroup 211offsite default-domain clientname.local
vpngroup 211offsite split-tunnel VPNClient
vpngroup 211offsite idle-time 1800
vpngroup 211offsite password ********

Re: pix fixup protocol

lcaruso — Wed, 16 Feb 2011 03:35:55 GMT

Well it must have been a long day and it's getting late again...

Re: pix fixup protocol

Jennifer Halim — Wed, 16 Feb 2011 03:45:06 GMT

Actually, there is no site-to-site configuration at all.

There is only 1 crypto map sequence (seq 10) --> crypto map clientname_map 10 ipsec-isakmp dynamic dynmap

and it's for dynamic map, therefore for remote VPN Client.

All the vpngroup commands are for VPN Client, that needs to be migrated to tunnel-group and group-policy accordingly.

Re: pix fixup protocol

lcaruso — Wed, 16 Feb 2011 03:47:57 GMT

thanks ...very late

Re: pix fixup protocol

lcaruso — Wed, 16 Feb 2011 03:52:15 GMT

appreciate the links!

Re: pix fixup protocol

Jennifer Halim — Wed, 16 Feb 2011 03:53:56 GMT

Cheers, all the best with the migration..