12-03-2010 06:48 AM - edited 03-11-2019 12:17 PM
Hello Experts,
It would be much appreciated if you provide your valued suggestions over this very simple configuration if configured in 6500 FWSM.
This configuration is to disable the http inspection between source(172.20.2.79) and destination(172.30.30.44,172.30.30.45) and vice versa.
I wish if you provide your valued inputs over the point that if this configuration is done in real time in live working environmet than is there any impact of it on other services ?
Step -1 :- I have created an access-list called “microhttp”.
access-list microhttp extended deny ip host 172.30.30.44 host 172.20.2.79
access-list microhttp extended deny ip host 172.30.30.45 host 172.20.2.79
access-list microhttp extended deny ip host 172.20.2.79 host 172.30.30.44
access-list microhttp extended deny ip host 172.20.2.79 host 172.30.30.45
access-list microhttp extended permit ip any any
Step -2 :- I have created a class-map called “microhttp”
class-map microhttp
match access-list microhttp
Step-3 :- In global policy-map I have called this class-map.
FWSM-CORE1(config)# policy-map global_policy
FWSM-CORE1(config-pmap)# class microhttp
Step-4 :- In class-map microhttp, I am inspecting ‘http’ packets.
FWSM-CORE1(config-pmap-c)#inspect http
Step -5 :- I went back to the global policy-map.
FWSM-CORE1(config-pmap-c)# exit
FWSM-CORE1(config-pmap)#
Step-6 :- I went into the default class-map and I have removed the http inspection from global policy-map.
FWSM-CORE1(config-pmap)# class inspection_default
FWSM-CORE1(config-pmap)#
FWSM-CORE1(config-pmap)# no inspect http
Thank you,
Best Regards,
Shahnawaz Khot
12-03-2010 08:33 AM
Hi Shahnawaz,
The changes you outlined will only affect new connections, so there is no impact on existing connections through the FWSM. However, I would recommend changing the following line as follows:
no access-list microhttp extended permit ip any any
access-list microhttp extended permit tcp any any eq 80
If you use the first line (permit ip any any), this will send all IP traffic to the HTTP inspection engine. Instead, the new line (permit tcp any any eq 80), will only send traffic that uses TCP port 80 to the inspection engine, which will prevent the FWSM from attempting to inspect non-HTTP traffic.
Hope that helps.
-Mike
12-15-2010 11:07 AM
Thank you Mike :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide