I have a PIX 515 running 7.04. I'm trying to figure out how to turn on http inspection. Documentation on the Cisco web site led me to believe the default configuration has it turned on, but reseting our system to default leaves it off. This is what it looks like:
class-map inspection_default match default-inspection-traffic
policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 ... the other default settings, but no "inspect http"
! and finally
service-policy global_policy global
I have the Syngress book _Cisco PIX Firewalls_ by Behrens, et al, and according to it the command sequence should be:
PIX(config)# class-map inspection_default PIX(config-cmap)# match http
But this doesn't work. Nor does this sequence, with "no match xxx" allow me to remove any of the other stateful inspections like ftp. I'm not trying to do any of the cool things like using an access list, or invoke a flow-based policy. I just want to allow basic http traffic. Based on the errors I get when I attempt this, I think my understanding of how this works is a bit weak. A link to a web page that explains all this would be useful as well.
Thanks in advance for any suggestions.
B Squared ====================================================================== Reality is what you can get away with. -- Robert Anton Wilson Art is anything you can get away with. -- Marshall McLuhan