topic Re: ASA port-misuse issues in Network Security

ASA port-misuse issues

stevezups — Fri, 21 Feb 2020 08:16:45 GMT

Hi all,

I just got an ASA 5520 VPN Plus and I'm having trouble blocking p2p and im programs.

The problem is when I block p2p and im programs, no other web sites work. Here is my config below.

ASA Version 7.0(1)

names

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

nameif Internet

security-level 0

ip address xxxxxxxxx

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

enable password xxxx

passwd xxxx

hostname xxxxxxx

domain-name xxxxxxx

ftp mode passive

access-list 100 extended permit ip any any

http-map test-http

port-misuse p2p action drop

port-misuse tunnelling action allow

port-misuse im action drop

port-misuse default action allow

pager lines 24

logging buffered debugging

logging asdm informational

mtu Inside 1500

mtu Internet 1500

mtu management 1500

no failover

monitor-interface Inside

monitor-interface Internet

monitor-interface management

asdm image disk0:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (Inside) 1 192.168.10.0 255.255.255.0

route Internet xxxxxxx

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.10.2 255.255.255.255 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

class-map test

match access-list 100

policy-map policy

class test

inspect http test-http

service-policy policy global

Thanks

Stevan

Re: ASA port-misuse issues

gfullage — Mon, 18 Jul 2005 22:38:53 GMT

As soon as you define a http-map it tells the PIX to start strict HTTP inspection, regardless of the other specific parameters you set within the http-map. I think what might be going on is the fact your class-map is directing ALL IP traffic through this http-map via access-list 100, and because that traffic is not actually HTTP it is dropped by the strict inspection rules.

I would suggest changing your class map to only send HTTP packets through the http-map, that should allow all other packets to flow through correctly (and it will speed them up greatly also). The following should resolve your problem:

class-map test

match port tcp eq 80

This will ensure that only HTTP packets are sent through the HTTP inspection engine, which makes sense anyway. Another way to do it, especially if you want to define a few different port numbers as HTTP traffic (8080, 8800, etc), is to change your ACL 100 to define only TCP traffic on those ports, rather than "ip any any" as you currently have.

Re: ASA port-misuse issues

stevezups — Tue, 19 Jul 2005 11:42:37 GMT

Hi, and thanks for the feedback.

I tried doing what you wrote. The problem is that im and p2p applications are still being let through. I need to block im and p2p programs.

Thanks for your help

Stevan

Re: ASA port-misuse issues

ThomasMoeller — Fri, 22 Jul 2005 08:14:14 GMT

Hi,

For version 7.0 not all p2p & im gets detected.

p2p: only detects Kazaa & Gnutella.

im: only detects Yahoo messenger

You could try turning it around like this:

http-map test-http

port-misuse tunnelling action allow

port-misuse default action drop log

Remember to only match port 80 traffic in your class-map.

I hope this helps.

-Thomas

Re: ASA port-misuse issues

JPMS — Wed, 14 Dec 2005 09:47:08 GMT

It doesn't work - it's a bug (and still is!) - see CSCsb41742