IOS Zone-based HTTP Inspection

Unanswered Question
Jul 4th, 2008
User Badges:

I am using a 2811 router with 12.4(15)T5 Advanced IP.

When enabling inspection on my HTTP out rule, several common websites do not funcion properly. This is not a problem on our other 2811 routers not using Zone-Based firewall. One example site that consistently does not work is

I have played around with all the inspection settings, including setting it to allow rather than drop and the site still does not work.

Help is urgently needed.


Gary Herbstman

Byte Solutions

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bstiff Fri, 07/11/2008 - 10:38
User Badges:

Did you configure the Zone FW with SDM? I assume that you selected the 'medium' or 'high' security levels, which enabled http app inspection, and applied protocol conformance checking. Unfortunately, some web servers/browsers took a different interpretation of some aspects of the http standards than the IOS Firewall developers. Thus, http protocol conformance checking ends up breaking some specific sites (yahoo mail, for instance). The easiest way to correct the problem is to use the 'low' security firewall. Next easiest is to edit the http inspection policy to remove strict-http application inspection. Post again if you need more details.


This Discussion