fixup protocol for http

I'm doing some work on a PIX 515, attempting to set it up for our network. I've gotten it to pass basic http packets across all the interfaces. For one of tests I turned off the fixup protocol for http like so: no fixup protocol http. As expected it wouldn't pass http packets any more. So then I turned back on (using port 80, as expected). It still doesn't pass http packets across any of the interfaces. I've checked with the debug packet command, and http goes in, but never comes out. Does this behavior make sense? I'd be happy to post the relevant parts of the configuration, but I was hoping there might be a probable explanation on the evidence I've given.

BTW, I rebooted the PIX, and machines connected to the interfaces, and the behavior remains. I didn't change the addresses, or ACLS, or anything else. Just the http fixup protocol. I'm stumped.

Thanks in advance for any suggestions.

B Squared

Reply to
"B Squared"
Loading thread data ...

In article , wrote: :I'm doing some work on a PIX 515, attempting to set it up for :our network. I've gotten it to pass basic http packets across :all the interfaces. For one of tests I turned off the fixup :protocol for http like so: no fixup protocol http. As expected :it wouldn't pass http packets any more.

That isn't the expected behaviour. The http fixup does not "enable" http: if you have the fixup turned off, http should still pass.

What the fixup does is inspect the URLs being returned back, and modify the internal private IPs to public IPs according to the 'alias' rules [older scheme] or 'dns' keyword of 'static' and 'nat' [newer scheme].

I seem to recall seeing some old bug reports that implied that another function of the fixup was some inspection of the incoming requests for consistancy and buffer overflow.

Reply to
Walter Roberson

What's the code on PIX ? It can be bug .

But did you clear Nat/PAT translation after you re-entered the Fixup http command .

HTH SH

B Squared wrote:

Reply to
cisco9947 9947

In article , cisco9947 9947 top-posted:

[Please don't top-post -- it makes it hard to read, and it makes it harder to comment on your contributions.]

:B Squared wrote: :> I'm doing some work on a PIX 515, attempting to set it up for :> our network.

:> BTW, I rebooted the PIX, and machines connected to the :> interfaces, and the behavior remains.

:But did you clear Nat/PAT translation after you re-entered the :Fixup http command .

Please tell us more about the mechanism by which NAT/PAT translations might survive rebooting a (non-failover) PIX.

Reply to
Walter Roberson

Hi , Sorry about not reading the top most email completely . Ofcourse if you have saved the config with http fixup in place and then rebooted the PIX , it will definetely clear nat/pat translations .

Can you please copy and paste the config of PIX with details like where is the HTTP server residing ...is it on outside zone or the dmz or the inside zone ??Also specify the http server address .

SH CCSP

Reply to
Sarabjit Singh

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.