Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
5
Replies

how to configure zone firewall to do layer 7 application inspection for http

carl_townshend
Spotlight
Spotlight

‎09-14-2011 05:30 AM - edited ‎03-07-2019 02:12 AM

Hi all

If I want to configure a zone firewall on my router for layer 7 http inspection is the below correct?

also what would happen if I didnt use the "match protocol http" keyword on the class map, would this not look into the layer 7 info but would still perform stateful inspection ?

configure terminal

!

zone security INSIDE

zone security OUTSIDE

!

interface range fa0/0

zone-member security INSIDE

!

interface s0/0

zone-member security OUTSIDE

!
ip access-list extended allow-http

permit tcp 10.1.1.0 0.0.0.255 any eq 80

class-map type inspect ALLOW-HTTP

match access-group name allow-http

match protocol http

policy-map type inspect IN-TO-OUT

class type inspect ALLOW-HTTP

inspect

class class-default

drop

configure terminal

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

service-policy type inspect IN-TO-OUT

Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎09-14-2011 06:18 AM

Hi,

you're not doing L7 application inspection with the config you posted. All you're doing is permit return traffic to http requests coming from  INSIDE zone to OUTSIDE zone.This is stateful firewalling.

You must attach a L7 policy-map  to the L3/L4 policy-map with a service-policy command

http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

carl_townshend
Spotlight
Spotlight
In response to cadet alain

‎09-14-2011 06:27 AM

I thought by doing the match command for http it will be looking into the L7 ? I dont want to look for anything in paticular like regex , just want to make sure the http hasnt been spoofed etc.

what command would I need to do to do this ? would it be >match req-resp protocol violation ?

cheers

Carl

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to carl_townshend

‎09-14-2011 06:45 AM

Hi,

match protocol http is matching with PAM port numbers instead of usinf an ACL with tcp eq 80 or 8080.

What do you mean by http has been spoofed?

Alain.

Don't forget to rate helpful posts.
0 Helpful

carl_townshend
Spotlight
Spotlight
In response to cadet alain

‎09-14-2011 08:03 AM

arr ok, so if i didnt put in match protocl http it would just inspect the port specified on the acl??

by spoofed i mean, people tunneling inside http. and using other port numbers etc

what command would i need to include to get the router to check the payload L7 for correct use, would the command >"match req-resp protocol violation"  work ?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to carl_townshend

‎09-14-2011 10:39 AM

Hi,

arr ok, so if i didnt put in match protocl http it would just inspect the port specified on the acl??

You're right.

what command would i need to include to get the router to check the  payload L7 for correct use, would the command >"match req-resp  protocol violation"  work ?

Honestly, I don't know. Hope someone more knowledgeable will answer your question.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card