Velocity Reviews - trouble with return HTTP traffic

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)

- Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)

- - trouble with return HTTP traffic (http://www.velocityreviews.com/forums/t55847-trouble-with-return-http-traffic.html)

trouble with return HTTP traffic

We have a PIX 515 running 7.0 I am setting up. It's really a pretty
basic installation, for example, we are not using NAT.

I've put a network sniffer on the connection between our internal
network and the PIX Inside interface, and also on the connection between
the PIX Outside interface and our ISP. Outbound HTTP traffic is being
passed to the ISP, but the return packets (with correct address,
sequence number, and/or ack number) are being blocked by the PIX.

So I think I have a problem with the inspection map, or possibly the
access list.

For the current test, I have a single laptop directly connected to the
Inside interface, so routing to the Inside (network) is not an issue.

Here are the relevant parts of our configuration:

! for our test, we permit all traffic. Once we
! get this working, we'll ratchet things down

access-list permit_all extended permit ip any any

access-group permit_all in interface outside
access-group permit_all in interface inside

! here is our class map inspection. This is
! just the default setting. I believe this is
! where our problem is.

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

! I'm not sure if this is relavant to the issue at hand
! but I'm including in case it might

service-policy global_policy global

--

All that said, I expected there to be an entry in the policy-map to
permit http traffic. I thought HTTP that was one of the protocols that
the PIX is supposed to control with its stateful mechanism. Is this the
problem? If so, what do I add to the configuration to pass HTTP?

-- Or are the access-lists we have in place supposed to do this?

Thanks in advance for any suggestions.

B Squared
----------------------------------------------------------------------
If the universe is constantly expanding, is wall-to-wall carpet a good
investment?

Re: trouble with return HTTP traffic

In article <vZKdnVkXtuqsHWPeRVn-rw@scnresearch.com>, <"B Squared"> wrote:
>We have a PIX 515 running 7.0 I am setting up. It's really a pretty
>basic installation, for example, we are not using NAT.

>I've put a network sniffer on the connection between our internal
>network and the PIX Inside interface, and also on the connection between
>the PIX Outside interface and our ISP. Outbound HTTP traffic is being
>passed to the ISP, but the return packets (with correct address,
>sequence number, and/or ack number) are being blocked by the PIX.

You did not happen to mention exactly which 7.0 version you
are using.

If I recall correctly, someone posted a couple of months ago
mentioning an HTTP problem in early versions of 7.0, fixed in
later versions.

PIX 7.1(1) is out now, and from the release notes -appears-
to be just a major bug-fix release. It isn't indicated in
the release notes why they incremented the minor version number
instead of just creating a new release number.

[My -speculation- is that we will soon see a new hardware model
that uses PIX 7.1. But that's definitely just speculation.]