https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307378#M764473 <HTML><HEAD></HEAD><BODY><P>The ACL indeed needs to permit the traffic, regardless of whether you do inspection or not.</P><P></P><P>So after you permit tcp-80 in the ACL, access to your webserver works. In what sense does the inspection not work? I.e. what do you expect it to do that it is not doing?</P><P></P><P>BTW "match any" is a bad idea, you will send *all* traffic through the http inspection. Better use "match port tcp eq 80" or "match default-inspection" (which allows you to specify multiple inspections in the policy and each one will receive only traffic destined to its default port).</P><P></P><P></P></BODY></HTML> Wed, 28 Oct 2009 20:35:30 GMT Herbert Baerten 2009-10-28T20:35:30Z https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307377#M764472 <P>I can't make sense of this. Here's what I have:</P><P></P><P> policy-map type inspect http test-http-inspect-map</P><P> parameters</P><P> protocol-violation action drop-connection</P><P> class-map global-class</P><P> match any</P><P> policy-map global-policy</P><P> class global-class</P><P> inspect http test-http-inspect-map</P><P> service-policy global-policy global</P><P></P><P> </P><P>I'm trying to access a webserver on the "dmz" network (security-level 50) from the "outside" network (security-level 100). I can't do so until I apply an access-list. So, I allow traffic on dst port 80 from from the outside. But at that point it seems the application inspection doesn't work. To test this I telnet to port 80 from the outside host to the internal webserver and issued "post blah". I'm able to see "post blah" in a capture on the internal webserver. So, how do I properly apply application inspection and what is a good way to test it? TIA.</P> Mon, 11 Mar 2019 16:31:36 GMT https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307377#M764472 snickered 2019-03-11T16:31:36Z https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307378#M764473 <HTML><HEAD></HEAD><BODY><P>The ACL indeed needs to permit the traffic, regardless of whether you do inspection or not.</P><P></P><P>So after you permit tcp-80 in the ACL, access to your webserver works. In what sense does the inspection not work? I.e. what do you expect it to do that it is not doing?</P><P></P><P>BTW "match any" is a bad idea, you will send *all* traffic through the http inspection. Better use "match port tcp eq 80" or "match default-inspection" (which allows you to specify multiple inspections in the policy and each one will receive only traffic destined to its default port).</P><P></P><P></P></BODY></HTML> Wed, 28 Oct 2009 20:35:30 GMT https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307378#M764473 Herbert Baerten 2009-10-28T20:35:30Z https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307379#M764474 <HTML><HEAD></HEAD><BODY><P>I actually got this working. I was able to test using netcat. It effectively dropped the tunnel I opened on port 80 trying to send cmd.exe through it. </P><P></P><P>Now I have another question. When I explicitly open a port for an application there is no "inspect" for is there a way to build an "inspect"? For instance, let's say I use all the default inspections on the default ports. Now, let's say I open tcp 188 for an internal application. I'd like to know that someone didn't find that port and start tunneling cmd.exe. How do people combat against this scenario?</P></BODY></HTML> Wed, 28 Oct 2009 21:43:35 GMT https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307379#M764474 snickered 2009-10-28T21:43:35Z https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307380#M764475 <HTML><HEAD></HEAD><BODY><P>What protocol is port 188 using? We cannot build inspects based on protocols we don't know. </P><P></P><P>So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.</P><P></P><P>Of course for .exe etc files there are ips that can look into regex strings in the packets.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P><P></P></BODY></HTML> Wed, 28 Oct 2009 22:32:16 GMT https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307380#M764475 Panos Kampanakis 2009-10-28T22:32:16Z https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307381#M764476 <HTML><HEAD></HEAD><BODY><P>I was thinking more along of the lines of an internal application that uses something proprietary. I'm confused about MPF now... I'll start a new thread. Thanks for your help.</P></BODY></HTML> Wed, 28 Oct 2009 23:10:57 GMT https://community.cisco.com/t5/network-security/don-t-understand-application-inspection/m-p/1307381#M764476 snickered 2009-10-28T23:10:57Z