The Fixup Protocol

The Fixup protocol does exactly what a set of MPF commands do. It adds the stateful inspection feature for the specified protocol to the default-inspection-traffic class map referenced in the global_policy policy map. So instead of typing all the MPF commands you only need to type the fixup protocol command followed by the name of the ‘protocol’ to enable application inspection for that protocol. Below is an example which shows how ICMP inspection is added to the global_policy with the fixup command and the regular MPF commands.

ciscoasa(config)# fixup protocol icmp
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class default-inspection-class
ciscoasa(config-pmap-c)# inspect icmp

It also gives you an option to change the default port number for the protocol to be inspected. In the below example, HTTP inspection will be applied to any traffic destined for port number 8080 instead of the default port number of 80.

ciscoasa(config)# fixup protocol http 8080

Note: It ONLY modifies the default global_policy! If you have other policy maps applied to different interfaces, you will need to follow the MPF structure.

If you’re in for a read, the Cisco Documentation has pretty much everything you need to know about this protocol.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s