The Fixup protocol does exactly what a set of MPF commands do. It adds the stateful inspection feature for the specified protocol to the default-inspection-traffic class map referenced in the global_policy policy map. So instead of typing all the MPF commands you only need to type the fixup protocol command followed by the name of the ‘protocol’ to enable application inspection for that protocol. Below is an example which shows how ICMP inspection is added to the global_policy with the fixup command and the regular MPF commands.
1 2 3 4 5 |
ciscoasa(config)# fixup protocol icmp OR ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class default-inspection-class ciscoasa(config-pmap-c)# inspect icmp |
It also gives you an option to change the default port number for the protocol to be inspected. In the below example, HTTP inspection will be applied to any traffic destined for port number 8080 instead of the default port number of 80.
1 |
ciscoasa(config)# fixup protocol http 8080 |
Note: It ONLY modifies the default global_policy! If you have other policy maps applied to different interfaces, you will need to follow the MPF structure.
If you’re in for a read, the Cisco Documentation has pretty much everything you need to know about this protocol.
Source: The Fixup Protocol by