07-04-2008 10:34 AM - edited 03-11-2019 06:09 AM
I am using a 2811 router with 12.4(15)T5 Advanced IP.
When enabling inspection on my HTTP out rule, several common websites do not funcion properly. This is not a problem on our other 2811 routers not using Zone-Based firewall. One example site that consistently does not work is ft.com.
I have played around with all the inspection settings, including setting it to allow rather than drop and the site still does not work.
Help is urgently needed.
Thanks
Gary Herbstman
Byte Solutions
07-10-2008 09:05 AM
Refer to the following url for more information on configuring IOS Zone-based HTTP Inspection:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_zone_polcy_firew.html#wp1052111
07-11-2008 10:38 AM
Did you configure the Zone FW with SDM? I assume that you selected the 'medium' or 'high' security levels, which enabled http app inspection, and applied protocol conformance checking. Unfortunately, some web servers/browsers took a different interpretation of some aspects of the http standards than the IOS Firewall developers. Thus, http protocol conformance checking ends up breaking some specific sites (yahoo mail, for instance). The easiest way to correct the problem is to use the 'low' security firewall. Next easiest is to edit the http inspection policy to remove strict-http application inspection. Post again if you need more details.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: