Fixups were the features on a PIX firewall that inspected application protocols. They have been replaced with application inspections, or inspects for short. While fixups were much easier to configure, inspects follow a more IOS-like method of implementation in that they are embedded into a global service policy. It might look difficult, but it doesn’t need to be.
Inspects are used to enable complex protocols, such as FTP, that have multiple streams. They are also used to make protocols more secure. For example, the SMTP inspect limits the commands that can be run through the ASA within the SMTP protocol.
To illustrate one of the common application inspections, I’ve
connected through an ASA to a mail server using Telnet. This ASA is not
running the SMTP fixup, which you should rarely see in the wild, as it
is enabled by default. When I issue the SMTP command
EHLO someserver, I get a
list of information regarding the capabilities of the mail server:
telnet mail.myserver.net 25Trying 10.10.10.10... Connected to mail.myserver.net. Escape character is '^]'.
220 mail.myserver.net ESMTP Postfix
This information is not necessary for the successful transfer of
email messages, and could be useful to a hacker. For example, a hacker
could try to pull email messages off the server using the
ETRN deque command. The
SMTP inspect intercepts and disables the