turnting on http inspection on a PIX

I have a PIX 515 running 7.04. I'm trying to figure out how to turn on http inspection. Documentation on the Cisco web site led me to believe the default configuration has it turned on, but reseting our system to default leaves it off. This is what it looks like:

class-map inspection_default match default-inspection-traffic

policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 ... the other default settings, but no "inspect http"

! and finally

service-policy global_policy global

I have the Syngress book _Cisco PIX Firewalls_ by Behrens, et al, and according to it the command sequence should be:

PIX(config)# class-map inspection_default PIX(config-cmap)# match http

But this doesn't work. Nor does this sequence, with "no match xxx" allow me to remove any of the other stateful inspections like ftp. I'm not trying to do any of the cool things like using an access list, or invoke a flow-based policy. I just want to allow basic http traffic. Based on the errors I get when I attempt this, I think my understanding of how this works is a bit weak. A link to a web page that explains all this would be useful as well.

Thanks in advance for any suggestions.

B Squared ====================================================================== Reality is what you can get away with. -- Robert Anton Wilson Art is anything you can get away with. -- Marshall McLuhan

Reply to
"B Squared"
Loading thread data ...

You can use the old command and it converts to the new style.

Off the top of my head it would be

fixup protocol http 80

We turned http inspection off because the performance hit on throughput on port 80 was really big. The fix for this bug is due out in april with 7.05.

"B Squared" wrote:

DiGiTAL_ViNYL (no email)

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.