© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-2 Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the need for advanced protocol handling. Describe the fixup protocol command. Describe how the PIX Firewall handles FTP, RSH, and SQL*Net traffic. Configure FTP, RSH, and SQL*Net fixup protocols. Describe the issues with multimedia applications. Describe how the PIX Firewall handles RTSP and H.323 multimedia protocols. Configure RTSP and H.323 fixup protocols. Describe how the PIX Firewall supports call handling sessions and VoIP call signaling.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-4 Advanced Protocols
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-5 Need for Advanced Protocol Handling Some popular protocols or applications behave as follows: –Negotiate connections to dynamically assigned source or destination ports or to IP addresses. –Embed source or destination port or IP address information above the network layer. A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application: –Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall. –Use NAT-relevant instances of IP addresses inside a packet. –Use PAT-relevant instances of ports inside a packet. –Inspect packets for signs of malicious application misuse.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-6 fixup Command Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Port 2010 Port 2010 OK Data NO FTP protocol fixup TCP S/21- C/2008 TCP S/20- ???? X Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Port 2010 Port 2010 OK Data FTP protocol fixup TCP S/21- C/2008 TCP S/20- C/2010 PIX Firewall opens return port for dataNo return port for data
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-7 DNS Fixup DNS server Client UDP A/1050-> B/53 Monitors all UDP transactions on port 53: Tracks DNS request ID and opens a connection slot Closes connection slot immediately after answer is received Optionally, performs translation of embedded IP addresses - Prior to version 6.2 — alias command - Version 6.2 or later — DNS record translation Request Response
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-8 DNS Doctoring with the alias Command Student PC pix1(config)# nat (inside) pix1(config)# global (outside) netmask pix1(config)# static (inside,outside) pix1(config)# access-list all permit tcp any host eq www pix1(config)# alias (inside) (Host) (DNS) Source: Destination: DNS server Web server Who is Source: Destination: cisco.com= Source: Destination:
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-9 DNS Record Translation Student PC pix1(config)# nat (inside) dns pix1(config)# global (outside) netmask pix1(config)# static (inside,outside) dns pix1(config)# access-list all permit tcp any host eq www Web client DNS server Web server cisco.com Who is cisco.com? Source: Destination: cisco.com= Source: Destination: (host) (DNS) Source: Destination:
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-10 Active Mode FTP Active mode FTP uses two channels: –Client-initiated command connection (TCP) –Server-initiated data connection (TCP) For outbound connections, the PIX Firewall handles active mode FTP by opening a temporary inbound channel for the data. For inbound connections, if an FTP ACL exists, the PIX Firewall handles active mode FTP as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens a temporary outbound connection for the data. Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Data - Port 2010 Port 2010 OK Data Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Data - Port 2010 Port 2010 OK Data
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-11 Passive Mode FTP PFTP uses two channels: –Client-initiated command connection (TCP) –Client-initiated data connection (TCP) For outbound connections, the PIX Firewall handles PFTP as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens an outbound port for the data channel. For inbound connections if an FTP ACL exists, the PIX Firewall opens an inbound port for the data channel. Data port 1490 Passive OK port 1490 Server Client Control port 2008 Data port 2010 Control port 21 Outbound PFTP? Data port 1490 Passive OK port 1490 Server Client Control port 2008 Data port 2010 Control port 21 Inbound PFTP? Data
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-12 FTP Fixup Configuration Use FTP fixup to change port numbers (default = 21). When FTP fixup is disabled: –Outbound active mode FTP will not work. –Inbound active mode FTP will work if ACL exists. –Outbound PFTP will work if not explicitly disallowed. –Inbound PFTP will not work. fixup protocol ftp [strict] port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol ftp Passive OK port 1490 Server Client Outbound PFTP? Data Server Client Inbound Active FTP Port 2010 OK Data Active mode FTP PFTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-13 Remote Shell RSH uses two channels: –Client-initiated command connection (TCP). –Server-initiated standard error connection (TCP). For outbound connections, the PIX Firewall opens an inbound port for standard error output. For inbound connections if an RSH ACL exists, the PIX Firewall handles RSH as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens the outbound port for standard error output. Outbound connection request Port 2010 OK Standard error output 1490 Server Client Inbound connection request Port 2010 OK Standard error output Server Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-14 Outbound connection request Port 2010 OK Standard error output 1490 Server Client Inbound connection request Port 2010 OK Standard error output Server Client Defines ports for RSH connections (default = 514)—Dynamically opens a port for RSH standard error connections. If RSH fixup is disabled: –Inbound RSH will work if ACL exists. –Outbound RSH will not work. pixfirewall (config)# fixup protocol rsh port [-port] X pixfirewall(config)# fixup protocol rsh 1540 RSH Fixup Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-15 SQL*Net Initially the client connects to a well-known port on the server. –Oracle uses port –IANA-compliant applications use port 66. The server may assign another port or another host to serve the client. For outbound connections, the PIX Firewall handles SQL*Net connections as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens an outbound port for a redirected channel. For inbound connections if an ACL exists, the PIX Firewall opens an inbound port for a redirected channel Outbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client Inbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-16 SQL*Net Fixup Configuration Defines ports for SQL*Net connections (default = 1521): –Use the fixup command to change the port number –Oracle uses port 1521—IANA-compliant applications use port 66. If disabled: –Outbound SQL*Net is allowed if not explicitly disallowed. –Inbound SQL*Net is disallowed. fixup protocol sqlnet port [-port] pixfirewall (config)# Outbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client Inbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client pixfirewall(config)# fixup protocol sqlnet 66
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-17 Multimedia Support
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-18 Additional UDP or TCP high ports may be opened. TCP or UDP request Why Multimedia Is an Issue Multimedia applications behave in unique ways: –Use dynamic ports –Transmit request using TCP and get responses in UDP or TCP –Use same port for source and destination The PIX Firewall: –Dynamically opens and closes ports for secure multimedia connections –Supports multimedia with or without NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-19 Real-Time Streaming Protocol Real-time audio and video delivery protocol uses one TCP and two UDP channels. Transport options: –RTP –RDT Sync or resend channel: –RTCP –UDP resend RTSP-TCP-only mode does not require special handling by the PIX Firewall. Supported applications: –Cisco IP/TV –Apple QuickTime 4 –RealNetworks: RealAudio RealPlayer RealServer RDT multicast not supported
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-20 Standard RTP Mode In standard RTP mode, RTP uses three channels: –Control connection (TCP) –RTP data (simplex UDP) –RTCP reports (duplex UDP) For outbound connections, the PIX Firewall opens inbound ports for RTP data and RTCP reports. For inbound connections if an ACL exists, the PIX Firewall handles standard RTP mode as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP Outbound TCP: Control Setup transport = rtp/avp/udp UDP: RTCP reports UDP: RTP data Server Client Inbound TCP: Control Setup transport = rtp/avp/udp UDP: RTCP reports UDP: RTP data Server Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-21 RealNetworks RDT Mode In RealNetworks RDT mode, RTSP uses three channels: –Control connection (TCP) –UDP data (simplex UDP) –UDP resend (simplex UDP) For outbound connections, the PIX Firewall handles RealNetworks RDT mode as follows: –If outbound traffic is allowed, it opens an inbound port for UDP data. –If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. For inbound connections if an ACL exists, the PIX Firewall handles RealNetworks RDT mode as follows: –If outbound traffic is allowed, it opens an inbound port for UDP resend. –If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend Outbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client Inbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-22 RTSP Fixup Configuration By default, the PIX Firewall inspects RTSP connections. RTSP dynamically opens UDP connections as required. If disabled: –UDP transport modes are disallowed. –TCP transport modes are allowed (TCP connection rules apply). fixup protocol rtsp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol rtsp Outbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client Inbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-23 H.323 Fixup Configuration Defines ports for H.323 connections (default = 1720) H.323: –Uses signaling channel (H.225/Q.931) –Negotiates endpoint capabilities (H.245) –Opens dynamic media sessions (RTP/RTCP) If disabled, H.323 applications disallowed fixup protocol h323 [h255 | ras] port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol h H.225—Call signal H.245—Capabilities RTCP session Gatekeeper Client RTP sessions
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-24 SIP Fixup Configuration Enables SIP Default port = 5060 Enables PIX Firewall to support any SIP VoIP gateways and VoIP proxies –Signaling mechanism (SIP) –Multimedia (RTP / RTCP) fixup protocol sip port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol sip 5060 Outbound SIP RTP RTCP IP Phone IP Phone
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-25 SCCP Fixup Configuration Supports SCCP protocol used by Cisco IP Phones Enables SCCP signaling and media packets to traverse the PIX Firewall (default port 2000) Dynamically opens negotiated ports for media sessions Can coexist in an H.323 environment fixup protocol skinny port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol skinny 2000 Phone to Call Manager Call Manager to phone RTCP Call Manager IP Phone PIX Firewall 501 SOHO RTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-26 CTIQBE Fixup Configuration Supports CTIQBE protocol used by Cisco IP SoftPhones for desktop or laptop PC applications, such as collaboration Enables signaling and media packets to traverse the PIX Firewall (default port 2748) Dynamically opens negotiated ports for media sessions Support disabled by default fixup protocol ctiqbe 2748 pixfirewall (config)# pixfirewall(config)# fixup protocol ctiqbe 2748 Phone to Call Manager Call Manager to phone RTCP Call Manager SoftPhone PIX Firewall 501 SOHO RTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-27 MGCP Fixup Configuration Inspect messages passing between Call Agents and media gateways - Port 2427 on which gateway receives commands - Port 2727 on which Call Agent receives commands Dynamically opens negotiated ports for media sessions Disabled by default fixup protocol mgcp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol mgcp 2427 pixfirewall(config)# fixup protocol mgcp 2727 Call Agent to gateway Gateway to Call Agent RTCP Media gateway RTP Call Agent
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-28 Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-29 Summary The fixup command enables you to view, change, enable, or disable the use of a service or protocol. The PIX Firewall uses special handling for some advanced protocols: FTP, RSH, and SQL*Net. The PIX Firewall handles multimedia protocols such as RTSP, RTP, SCCP, SIP, MGCP, H.323, and so on. The PIX Firewall SIP fixup supports call handling sessions. The PIX Firewall SCCP fixup supports VoIP call signaling. You can change the port value for each protocol, including the multimedia protocols; however, you should not change the port values for RSH and SIP.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-30 Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2— Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web/FTP RBB.2 “bastionhost”: Web/FTP P Q.0 “bastionhost”: Web/FTP.1