The Adaptive Security Algorithm (ASA), used by the PIX Firewall for stateful application inspection, ensures the secure use of applications and services. Some applications require special handling by the PIX Firewall application inspection function. Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. | CHAPTER 4 Configuring Application Inspection Fixup This chapter describes how to use and configure application inspection which is often called fixup because you use the fixup command to configure it. This chapter includes the following sections How Application Inspection Works Using the fixup Command Basic Internet Protocols Voice Over IP Multimedia Applications Database and Directory Support Management Protocols How Application Inspection Works The Adaptive Security Algorithm ASA used by the PIX Firewall for stateful application inspection ensures the secure use of applications and services. Some applications require special handling by the PIX Firewall application inspection function. Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. The application inspection function also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions identifies the dynamic port assignments and permits data exchange on these ports for the duration of the specific session. As illustrated in Figure 4-1 ASA uses three databases for its basic operation Access control lists ACLs Used for authentication and authorization of connections based on specific networks hosts and services TCP UDP port numbers . Inspections Contains a static pre-defined set of application-level inspection functions. Connections XLATE and CONN tables Maintains state and other information
