Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX command - fixup http


Is there any other purpose with the fixup http command besides this;

"Note If there is a no fixup protocol http command statement in the configuration, the filter url command does not work."



Re: PIX command - fixup http


The no fixup protocol http command statement also disables the filter url command.

HTTP inspection performs several functions:

URL logging of GET messages

URL screening via N2H2 or Websense

Java and ActiveX filtering


Filtering ActiveX Objects:

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.

The syntax of the command for filtering ActiveX objects is as follows:

filter activex port local_ip mask foreign_ip mask

This command blocks the HTML commands by commenting them out within the HTML web page. This functionality has been added to the filter command with the activex option.


Filtering Java Applets

The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. The syntax of the command for filtering ActiveX objects is as follows:

filter java port[-port] local_ip mask foreign_ip mask

Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.

Kind Regards,