topic Inbound Allow ACL when http headers inspection is true. in Network Security

Inbound Allow ACL when http headers inspection is true.

Andrew Sinclair — Tue, 12 Mar 2019 01:44:21 GMT

Hello,

I have a request to make the following work on an asa 5515 deployment and I'm receiving a lot of conflicting information about how to implement the solution.

I have an external provider that requires access to an internal non-ssl webpage. They are unable to provide IP address details to lock down the ACL. They have asked if we can allow access based on http-header-inspection within the request.

I believe this is possible using a class map to run the regex search for whatever he header string might be some form of AND rule such as;

(In english)

if outside->inside ACL ANY to HOST TCP 80 is true

if classmap regex is true

Then allow access.

Can you advise what type of technology would be required to get this working? If it is possible with the current 5515 technology what would you advise the answer is (or can you point me in the right direction to read the answer)?

Inbound Allow ACL when http headers inspection is true.

Julio Carvajal — Thu, 16 May 2013 16:56:10 GMT

Hello Andrew,

With the MPF setup

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Inbound Allow ACL when http headers inspection is true.

Andrew Sinclair — Wed, 22 May 2013 20:23:29 GMT

I am not sure that we can do what we need to do with MPF.

What we have is a standard HTTP/80 domain test.example.com. This domain needs to be accessible from anywhere but only when the incoming HTTP session contains the HTTP header X-example: "somestring".

The way it works just now is a regex match has been created for "somestring".

This match is then added to an HTTP inspection policy as MATCH NOT and the string class.

This is then assigned to a service-policy that that has an ACL specified as ANY -> HOST.

I would have assumed that this means any traffic on that ACL will be inspected and any HTTP sessions that do NOT contain the string "somestring" would be dropped.

The reason for this is the only people who should have access to this page is a CDN network to cache the webpage however as they have so many source IP addresses it wouldn't be practical to create an ACL based on that logic.

Can anyone offer any advice on this topic. It would be greatly appreciated.

Inbound Allow ACL when http headers inspection is true.

Julio Carvajal — Wed, 22 May 2013 21:37:26 GMT

Hello Andrew,

It makes sense,

I mean I would match the traffic with an ACL with port 80 and then use a match-not with the specific regex and drop/reset option as you suggested,

Have you done it?

Regards

Inbound Allow ACL when http headers inspection is true.

Andrew Sinclair — Wed, 22 May 2013 23:03:15 GMT

I will give this another test as soon as I can, I'm not sure I need to make the class CDN_REGEX_MAP, I think I could simply place the 'match not request header regex CDNHEADER' in the inspect policy. I will let you know how it goes. For sake of completeness I've included my code.

Thanks,

regex CDNHEADER "someheader"

class-map type regex match-any CDN_REGEX_MAP

match regex CDNHEADER

class-map type inspect http match-all DENYCDNCLASS

match not request header regex class CDN_REGEX_MAP

policy-map type inspect http CDNPOLICYMAP

class DENYCDNCLASS

reset log

access-list OUTSIDE_MPF extended permit tcp any 1.1.1.1 eq 80

class-map OUTSIDEMPF-CMAP

match access-list OUTSIDE_MPF

policy-map outside_policy

class OUTSIDEMPF-CMAP

inspect http CDNPOLICYMAP

service-policy outside_policy interface outside

Inbound Allow ACL when http headers inspection is true.

Julio Carvajal — Wed, 22 May 2013 23:22:08 GMT

Hello Andrew,

Can we do it like this (No need for the regex class-map and lets use the header host):

class-map type inspect http match-all DENYCDNCLASS

match not request header host regex CDNHEADER

Remember to rate all of the helpful posts