topic Re: Passing SOAP application through PIX in Network Security

Passing SOAP application through PIX

alexserkin — Fri, 21 Feb 2020 08:57:02 GMT

Recently we noticed that the HTTP POST request containing SOAP application is not passed through the PIX (7.1(2)) with default inspection rule.

The message is:

--------------------------------------------

Hypertext Transfer Protocol

POST /rcu/rc.asmx HTTP/1.1\r\n

Request Method: POST

Request URI: /rcu/rc.asmx

Request Version: HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.42)\r\n

Content-Type: text/xml; charset=utf-8\r\n

SOAPAction: "http://tempuri.org/SherpWS/Service1/Execute1"\r\n

Host: 10.0.52.43\r\n

Content-Length: 416\r\n

Expect: 100-continue\r\n

Connection: Keep-Alive\r\n

\r\n

eXtensible Markup Language

<?xml

version="1.0"

encoding="utf-8"

<soap:Envelope

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<soap:Body>

<Execute1

xmlns="http://tempuri.org/SherpWS/Service1">

BS_Balance_Get

</QueryCode>

i_DN=9013155908,i_ExtParam=$SUBSYSTEM=WINSP

</Parameters>

</Execute1>

</soap:Body>

</soap:Envelope>

-------------------------------------

And the error reported is:

%PIX-5-415008:1 HTTP RFC method illegal - 'POST' from 10.x.x.x to srv03

What is wrong with the request so that pix does not allow it through?

Re: Passing SOAP application through PIX

a.kiprawih — Thu, 08 Jun 2006 09:31:42 GMT

Hi,

As per Cisco PIX 7.x error log definition, it indicates that an attempt has been made to use a forbidden RFC method. This violates the user-configured policy.

This message is issued when the "http-map request-method rfc" command is configured to filter the specified RFC method, which matched line#3 of your post:

Request Method: POST

The keyword 'POST' was the name of the RFC method that caused that alert.

Sometimes, this was due to the application coding/programming itself that conflicts with PIX 7.x. The result will either you application traffic being reset or dropped.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/logmsgs.htm#wp3047882

Rgds,

Re: Passing SOAP application through PIX

alexserkin — Thu, 08 Jun 2006 10:58:28 GMT

The problem is that there weren't any http maps configured on the pix.

The config was:

...

policy-map global_policy

class inspection_default

...

inspect http

And the http request mentioned was silently dropped by pix.

Then i created an http map:

http-map httpmap

strict-http action allow log

port-misuse default action allow log

request-method rfc default action allow log

request-method ext default action allow log

transfer-encoding type default action allow log

and referenced it in global_policy

The log message 4150008 appeared about illegal method.

If the method POST is referenced in rfc2616 why is it considered illegal?