Thank you. I tried to enter the command but received:

# no fixup protocol ftp 21

WARNING: 'no fixup ...' command not processed because no global policy-map is en

abled

I thought the default global policy-map was automatically in the config, much like the default fixup statements were in the config for the PIX. Am I mistaken?

I get:

ERROR: % class-map inspection_default not configured

CiscoPix# sh ver

Cisco PIX Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "flash:/pix722.bin"

Config file at boot was "startup-config"

CiscoPix up 2 days 3 hours

Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0004.c161.5536, irq 10

1: Ext: Ethernet1 : address is 0004.c161.5537, irq 11

2: Ext: Ethernet2 : address is 0002.b318.0a83, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Restricted (R) license.

Serial Number: xxxxxxx

Running Activation Key: 0xxxxxxxx0 0xxxxxx 0xxxxxx 0xbxxxxxx

Configuration last modified by enable_15 at 02:28:16.627 UTC Wed Feb 7 2007

CiscoPix# conf t

CiscoPix(config)# no fixup protocol ftp 21

CiscoPix(config)#

David

CCIE Security

Here's mine:

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is "disk0:/asa721-k8.bin"

Config file at boot was "startup-config"

Ciscoasa up 43 mins 27 secs

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0019.5517.aaaa, irq 9

1: Ext: Ethernet0/1 : address is 0019.5517.bbbb, irq 9

2: Ext: Ethernet0/2 : address is 0019.5517.cccc, irq 9

3: Ext: Ethernet0/3 : address is 0019.5517.dddd, irq 9

4: Ext: Management0/0 : address is 0019.5517.eeee, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has an ASA 5510 Security Plus license.

Serial Number: xxxxxxxxxx

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Ciscoasa# conf t

Ciscoasa(config)# no fixup protocol ftp 21

WARNING: 'no fixup ...' command not processed because no global policy-map is en

abled

No matching protocol-port pair found, fixup not removed

I'm guessing that the global-policy is not defined by default, like the fixup protocol statements are. I know they don't show up in the 'wr t/sh conf' but I thought something was still there. So, should I be okay with the FTP? If I have problems, and changing 'ftp mode passive' to 'ftp mode active' doesn't fix the problem, should I try adding the 'inspect ftp' or is there something else that might be the problem? One of the PIX devices that we're replacing with an ASA5510 has VoIP traffic flowing through it. I've seen posts about the need for the fixup/inspect for h323 in order for it to work. Should I implement the global policy with the inspect statements for h323, or wait and see if it's a problem? What errors or symptoms on the ASA should I be looking for? Thanks,