cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
937
Views
0
Helpful
5
Replies

how to configure zone firewall to do layer 7 application inspection for http

carl_townshend
Spotlight
Spotlight

Hi all

If I want to configure a zone firewall on my router for layer 7 http inspection is the below correct?

also what would happen if I didnt use the "match protocol http" keyword on the class map, would this not look into the layer 7 info but would still perform stateful inspection ?

configure terminal

!

zone security INSIDE

zone security OUTSIDE

!

interface range fa0/0

zone-member security INSIDE

!

interface s0/0

zone-member security OUTSIDE

!
ip access-list extended allow-http

permit tcp 10.1.1.0 0.0.0.255 any eq 80

class-map type inspect ALLOW-HTTP

match access-group name allow-http

match protocol http

policy-map type inspect IN-TO-OUT

class type inspect ALLOW-HTTP

inspect

class class-default

drop

configure terminal

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

service-policy type inspect IN-TO-OUT

5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

Hi,

you're not doing L7 application inspection with the config you posted. All you're doing is permit return traffic to http requests coming from  INSIDE zone to OUTSIDE zone.This is stateful firewalling.

You must attach a L7 policy-map  to the L3/L4 policy-map with a service-policy command

http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf

Regards.

Alain.

Don't forget to rate helpful posts.

I thought by doing the match command for http it will be looking into the L7 ? I dont want to look for anything in paticular like regex , just want to make sure the http hasnt been spoofed etc.

what command would I need to do to do this ? would it be >match req-resp protocol violation ?

cheers

Carl

Hi,

match protocol http is matching with PAM port numbers instead of usinf an ACL with tcp eq 80 or 8080.

What do you mean by http has been spoofed?

Alain.

Don't forget to rate helpful posts.

arr ok, so if i didnt put in match protocl http it would just inspect the port specified on the acl??

by spoofed i mean, people tunneling inside http. and using other port numbers etc

what command would i need to include to get the router to check the payload L7 for correct use, would the command >"match req-resp protocol violation"  work ?

Hi,

arr ok, so if i didnt put in match protocl http it would just inspect the port specified on the acl??

You're right.

what command would i need to include to get the router to check the  payload L7 for correct use, would the command >"match req-resp  protocol violation"  work ?

Honestly, I don't know. Hope someone more knowledgeable will answer your question.

Regards.

Alain.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card