cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

904
Views
0
Helpful
2
Replies
shahnawaz.khot
Beginner

FWSM Question on disabling http inspection.

Hello Experts,

It would be much appreciated if you provide your valued suggestions over this very simple configuration if configured in 6500 FWSM.

This configuration is to disable the http inspection between source(172.20.2.79) and destination(172.30.30.44,172.30.30.45) and vice versa.

I wish if you provide your valued inputs over the point that if this configuration is done in real time in live working environmet than is there any impact of it on other services ?

Step -1 :- I have created an access-list called “microhttp”.

access-list microhttp extended deny ip host 172.30.30.44 host 172.20.2.79

access-list microhttp extended deny ip host 172.30.30.45 host 172.20.2.79

access-list microhttp extended deny ip host 172.20.2.79 host 172.30.30.44

access-list microhttp extended deny ip host 172.20.2.79 host 172.30.30.45

access-list microhttp extended permit ip any any

Step -2 :- I have created a class-map called “microhttp”

class-map microhttp

match access-list microhttp

Step-3 :- In global policy-map I have called this class-map.

FWSM-CORE1(config)# policy-map global_policy

FWSM-CORE1(config-pmap)#  class microhttp

Step-4 :- In class-map microhttp, I am inspecting ‘http’ packets.

FWSM-CORE1(config-pmap-c)#inspect http

Step -5 :- I went back to the global policy-map.

FWSM-CORE1(config-pmap-c)# exit

FWSM-CORE1(config-pmap)#

Step-6 :- I went into the default class-map and I have removed the http inspection from global policy-map.

FWSM-CORE1(config-pmap)#  class inspection_default

FWSM-CORE1(config-pmap)#

FWSM-CORE1(config-pmap)# no inspect http

Thank you,

Best Regards,

Shahnawaz Khot

2 REPLIES 2
mirober2
Cisco Employee

Hi Shahnawaz,

The changes you outlined will only affect new connections, so there is no impact on existing connections through the FWSM. However, I would recommend changing the following line as follows:

no access-list microhttp extended permit ip any any

access-list microhttp extended permit tcp any any eq 80

If you use the first line (permit ip any any), this will send all IP traffic to the HTTP inspection engine. Instead, the new line (permit tcp any any eq 80), will only send traffic that uses TCP port 80 to the inspection engine, which will prevent the FWSM from attempting to inspect non-HTTP traffic.

Hope that helps.

-Mike

Thank you Mike :)

Content for Community-Ad