fixup protocol for http

Discussion in 'Cisco' started by B Squared, Jul 14, 2005.

  1. B Squared

    B Squared Guest

    I'm doing some work on a PIX 515, attempting to set it up for
    our network. I've gotten it to pass basic http packets across
    all the interfaces. For one of tests I turned off the fixup
    protocol for http like so: no fixup protocol http. As expected
    it wouldn't pass http packets any more. So then I turned back
    on (using port 80, as expected). It still doesn't pass http
    packets across any of the interfaces. I've checked with the
    debug packet command, and http goes in, but never comes out.
    Does this behavior make sense? I'd be happy to post the relevant
    parts of the configuration, but I was hoping there might be a
    probable explanation on the evidence I've given.

    BTW, I rebooted the PIX, and machines connected to the
    interfaces, and the behavior remains. I didn't change
    the addresses, or ACLS, or anything else. Just the http fixup
    protocol. I'm stumped.

    Thanks in advance for any suggestions.

    B Squared
     
    B Squared, Jul 14, 2005
    #1
    1. Advertisements

  2. :I'm doing some work on a PIX 515, attempting to set it up for
    :eek:ur network. I've gotten it to pass basic http packets across
    :all the interfaces. For one of tests I turned off the fixup
    :protocol for http like so: no fixup protocol http. As expected
    :it wouldn't pass http packets any more.


    That isn't the expected behaviour. The http fixup does not "enable"
    http: if you have the fixup turned off, http should still pass.

    What the fixup does is inspect the URLs being returned back,
    and modify the internal private IPs to public IPs according to the
    'alias' rules [older scheme] or 'dns' keyword of 'static' and 'nat'
    [newer scheme].

    I seem to recall seeing some old bug reports that implied that
    another function of the fixup was some inspection of the incoming
    requests for consistancy and buffer overflow.
     
    Walter Roberson, Jul 14, 2005
    #2
    1. Advertisements

  3. What's the code on PIX ? It can be bug .

    But did you clear Nat/PAT translation after you re-entered the
    Fixup http command .

    HTH SH
     
    cisco9947 9947, Jul 17, 2005
    #3
  4. [Please don't top-post -- it makes it hard to read, and it makes
    it harder to comment on your contributions.]

    :B Squared wrote:
    :> I'm doing some work on a PIX 515, attempting to set it up for
    :> our network.

    :> BTW, I rebooted the PIX, and machines connected to the
    :> interfaces, and the behavior remains.


    :But did you clear Nat/PAT translation after you re-entered the
    :Fixup http command .

    Please tell us more about the mechanism by which NAT/PAT translations
    might survive rebooting a (non-failover) PIX.
     
    Walter Roberson, Jul 18, 2005
    #4
  5. Hi ,
    Sorry about not reading the top most email completely . Ofcourse if you
    have saved the config with http fixup in place and then rebooted the
    PIX , it will definetely clear nat/pat translations .

    Can you please copy and paste the config of PIX with details like where
    is the HTTP server residing ...is it on outside zone or the dmz or the
    inside zone ??Also specify the http server address .

    SH
    CCSP
     
    Sarabjit Singh, Jul 19, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.