Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS Zone-based HTTP Inspection

I am using a 2811 router with 12.4(15)T5 Advanced IP.

When enabling inspection on my HTTP out rule, several common websites do not funcion properly. This is not a problem on our other 2811 routers not using Zone-Based firewall. One example site that consistently does not work is ft.com.

I have played around with all the inspection settings, including setting it to allow rather than drop and the site still does not work.

Help is urgently needed.

Thanks

Gary Herbstman

Byte Solutions

http://bytesolutions.com

2 REPLIES
Bronze

Re: IOS Zone-based HTTP Inspection

Refer to the following url for more information on configuring IOS Zone-based HTTP Inspection:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_zone_polcy_firew.html#wp1052111

New Member

Re: IOS Zone-based HTTP Inspection

Did you configure the Zone FW with SDM? I assume that you selected the 'medium' or 'high' security levels, which enabled http app inspection, and applied protocol conformance checking. Unfortunately, some web servers/browsers took a different interpretation of some aspects of the http standards than the IOS Firewall developers. Thus, http protocol conformance checking ends up breaking some specific sites (yahoo mail, for instance). The easiest way to correct the problem is to use the 'low' security firewall. Next easiest is to edit the http inspection policy to remove strict-http application inspection. Post again if you need more details.

121
Views
0
Helpful
2
Replies
CreatePlease to create content