topic hi,did you configure ACL and in Network Security

ASA HTTP inspection

Sheraz.Salim — Tue, 12 Mar 2019 06:22:18 GMT

Hello Everyone.

we are testing a HTTP inspection on ASA for our corporate network in development network. after doing config of the commands

policy-map type inspect http HTTP_Inspection_Map
description Inspect the HTTP traffic
parameters
protocol-violation action drop-connection log
match req-resp content-type mismatch
drop-connection log

policy-map global_policy
class inspection_default
inspect http HTTP_Inspection_Map

The clinets are not going on any webpage apart from if we tell them to do a https in web browser (https://bing.com). Kindly please suggest what could be the casue of the issue.

Inspect: http HTTP_Inspection_Map, packet 11444, drop 74, reset-drop 0

hi,did you configure ACL and

johnlloyd_13 — Mon, 03 Aug 2015 07:12:05 GMT

hi,

did you configure ACL and class-maps for both HTTP and HTTPS traffic?

did you also apply your 'service-policy' map to an interface?

a lot of times it's applied to the 'inside' interface.

JohnlloydI configure the

Sheraz.Salim — Mon, 03 Aug 2015 12:15:50 GMT

Johnlloyd

I configure the policy in global policy so i beleive i do not need to configure a ACL?

hi,you still need it.what are

johnlloyd_13 — Mon, 03 Aug 2015 13:58:38 GMT

hi,

you still need it.

what are you trying to achieve in this setup?

are you re-directing traffic to a proxy server or to an appliance (i.e. websense)?

Hi Johnlloydwe are using a

Sheraz.Salim — Mon, 03 Aug 2015 14:41:29 GMT

Hi Johnlloyd

we are using a websense virtual appliance. Does HTTP inspection must have to work in conjunction with proxy server or websense.

I assumed the ASA http inspection with these above setting will do the job even without websense?

the aim is to ASA inspection HTTP traffic and if there is a violation of the protocol than that traffic must be drop and reset the HTTP connection.

hi,we're also doing websense

johnlloyd_13 — Tue, 04 Aug 2015 02:27:34 GMT

hi,

we're also doing websense redirect for a client but not using the MPF. i've checked my ASA config and it has CLI similar to below:

url-server (inside) vendor websense host <WEBSENSE IP> timeout 30 protocol TCP version 1 connections 10

filter https 443 <INSIDE LAN SUBNET> <SM> 0.0.0.0 0.0.0.0 allow

thanks Johnlloyds.Seems I was

Sheraz.Salim — Tue, 04 Aug 2015 08:42:09 GMT

thanks Johnlloyds.

Seems I was under impression that ASA can do http inspection as standalone but seem it could not do this. thank you for your valued input.

Best Regards.