trouble with return HTTP traffic

Discussion in 'Cisco' started by B Squared, Feb 24, 2006.

  1. B Squared

    B Squared Guest

    We have a PIX 515 running 7.0 I am setting up. It's really a pretty
    basic installation, for example, we are not using NAT.

    I've put a network sniffer on the connection between our internal
    network and the PIX Inside interface, and also on the connection between
    the PIX Outside interface and our ISP. Outbound HTTP traffic is being
    passed to the ISP, but the return packets (with correct address,
    sequence number, and/or ack number) are being blocked by the PIX.

    So I think I have a problem with the inspection map, or possibly the
    access list.

    For the current test, I have a single laptop directly connected to the
    Inside interface, so routing to the Inside (network) is not an issue.

    Here are the relevant parts of our configuration:

    ! for our test, we permit all traffic. Once we
    ! get this working, we'll ratchet things down

    access-list permit_all extended permit ip any any

    access-group permit_all in interface outside
    access-group permit_all in interface inside

    ! here is our class map inspection. This is
    ! just the default setting. I believe this is
    ! where our problem is.

    class-map inspection_default
    match default-inspection-traffic

    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp

    ! I'm not sure if this is relavant to the issue at hand
    ! but I'm including in case it might

    service-policy global_policy global

    --

    All that said, I expected there to be an entry in the policy-map to
    permit http traffic. I thought HTTP that was one of the protocols that
    the PIX is supposed to control with its stateful mechanism. Is this the
    problem? If so, what do I add to the configuration to pass HTTP?

    -- Or are the access-lists we have in place supposed to do this?

    Thanks in advance for any suggestions.

    B Squared
    ----------------------------------------------------------------------
    If the universe is constantly expanding, is wall-to-wall carpet a good
    investment?
    B Squared, Feb 24, 2006
    #1
    1. Advertising

  2. In article <>, <"B Squared"> wrote:
    >We have a PIX 515 running 7.0 I am setting up. It's really a pretty
    >basic installation, for example, we are not using NAT.


    >I've put a network sniffer on the connection between our internal
    >network and the PIX Inside interface, and also on the connection between
    >the PIX Outside interface and our ISP. Outbound HTTP traffic is being
    >passed to the ISP, but the return packets (with correct address,
    >sequence number, and/or ack number) are being blocked by the PIX.


    You did not happen to mention exactly which 7.0 version you
    are using.

    If I recall correctly, someone posted a couple of months ago
    mentioning an HTTP problem in early versions of 7.0, fixed in
    later versions.


    PIX 7.1(1) is out now, and from the release notes -appears-
    to be just a major bug-fix release. It isn't indicated in
    the release notes why they incremented the minor version number
    instead of just creating a new release number.

    [My -speculation- is that we will soon see a new hardware model
    that uses PIX 7.1. But that's definitely just speculation.]
    Walter Roberson, Feb 24, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,074
  2. Replies:
    0
    Views:
    2,686
  3. Scott
    Replies:
    1
    Views:
    8,849
    ScottF
    Aug 4, 2004
  4. Replies:
    3
    Views:
    6,520
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,055
    milan_9211
    Jan 10, 2011
Loading...

Share This Page