IOS Zone-based HTTP Inspection

Unanswered Question
Jul 4th, 2008

I am using a 2811 router with 12.4(15)T5 Advanced IP.

When enabling inspection on my HTTP out rule, several common websites do not funcion properly. This is not a problem on our other 2811 routers not using Zone-Based firewall. One example site that consistently does not work is ft.com.

I have played around with all the inspection settings, including setting it to allow rather than drop and the site still does not work.

Help is urgently needed.

Thanks

Gary Herbstman

Byte Solutions

http://bytesolutions.com

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bstiff Fri, 07/11/2008 - 10:38

Did you configure the Zone FW with SDM? I assume that you selected the 'medium' or 'high' security levels, which enabled http app inspection, and applied protocol conformance checking. Unfortunately, some web servers/browsers took a different interpretation of some aspects of the http standards than the IOS Firewall developers. Thus, http protocol conformance checking ends up breaking some specific sites (yahoo mail, for instance). The easiest way to correct the problem is to use the 'low' security firewall. Next easiest is to edit the http inspection policy to remove strict-http application inspection. Post again if you need more details.

Actions

This Discussion