https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663740#M195974 <P>Hi community</P><P>One of our customers is facing a porblem with the default HTTP inspection (page loads slowly). I now tried to exclude this specific range via the MPF of the ASA (IPs are just for example):</P><P><SPAN style="font-family:courier new,courier,monospace;">access-list http-inspection extended deny tcp host 172.22.10.50 host 8.8.8.8 eq www</SPAN></P><P><SPAN style="font-family:courier new,courier,monospace;">class-map http-inspection<BR />&nbsp;match access-list http-inspection<BR />&nbsp;<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect icmp<BR />&nbsp; &lt;snip&gt;<BR />&nbsp; inspect ip-options<BR />&nbsp;class http-inspection<BR />&nbsp; inspect http</SPAN></P><P>&nbsp;</P><P>The packet-tracer shows, that with this ACL only traffic from 172.22.10.50 to 8.8.8.8 is inspected. Traffic from 172.22.10.50 to 7.7.7.7 for example is not expected. I tried to modify the ACL to a permit:</P><P><SPAN style="font-family:courier new,courier,monospace;">access-list http-inspection extended permit tcp host 172.22.10.50 host 8.8.8.8 eq www</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">In the packet-tracer this shows me the exact same result. I checked this option in the ASDM. There is an option for "DO NOT MATCH" and the ACL is with a deny statement. From this I&nbsp;would assume that it is possible to exclude some traffic from the inspection.</SPAN></P><P>&nbsp;</P><P>Has anyone a solution on this?</P><P>&nbsp;</P><P>Regards</P><P>Matthias</P> Tue, 12 Mar 2019 05:39:31 GMT Matthias Jeker 2019-03-12T05:39:31Z https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663740#M195974 <P>Hi community</P><P>One of our customers is facing a porblem with the default HTTP inspection (page loads slowly). I now tried to exclude this specific range via the MPF of the ASA (IPs are just for example):</P><P><SPAN style="font-family:courier new,courier,monospace;">access-list http-inspection extended deny tcp host 172.22.10.50 host 8.8.8.8 eq www</SPAN></P><P><SPAN style="font-family:courier new,courier,monospace;">class-map http-inspection<BR />&nbsp;match access-list http-inspection<BR />&nbsp;<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect icmp<BR />&nbsp; &lt;snip&gt;<BR />&nbsp; inspect ip-options<BR />&nbsp;class http-inspection<BR />&nbsp; inspect http</SPAN></P><P>&nbsp;</P><P>The packet-tracer shows, that with this ACL only traffic from 172.22.10.50 to 8.8.8.8 is inspected. Traffic from 172.22.10.50 to 7.7.7.7 for example is not expected. I tried to modify the ACL to a permit:</P><P><SPAN style="font-family:courier new,courier,monospace;">access-list http-inspection extended permit tcp host 172.22.10.50 host 8.8.8.8 eq www</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">In the packet-tracer this shows me the exact same result. I checked this option in the ASDM. There is an option for "DO NOT MATCH" and the ACL is with a deny statement. From this I&nbsp;would assume that it is possible to exclude some traffic from the inspection.</SPAN></P><P>&nbsp;</P><P>Has anyone a solution on this?</P><P>&nbsp;</P><P>Regards</P><P>Matthias</P> Tue, 12 Mar 2019 05:39:31 GMT https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663740#M195974 Matthias Jeker 2019-03-12T05:39:31Z https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663741#M195975 <P>*push*</P> Fri, 20 Mar 2015 07:37:02 GMT https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663741#M195975 Matthias Jeker 2015-03-20T07:37:02Z https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663742#M195976 <P>Solved. This is a bug in the packet-tracer which doesn't look up the MPF correctly. You should use show service-policy flow&nbsp;instead.</P> Tue, 24 Mar 2015 07:39:01 GMT https://community.cisco.com/t5/network-security/asa-exclude/m-p/2663742#M195976 Matthias Jeker 2015-03-24T07:39:01Z