Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
0
Helpful
5
Replies

Inbound Allow ACL when http headers inspection is true.

Go to solution
Andrew Sinclair
Level 1
Level 1

‎05-16-2013 04:21 AM - edited ‎03-11-2019 06:44 PM

Hello,

I have a request to make the following work on an asa 5515 deployment and I'm receiving a lot of conflicting information about how to implement the solution.

I have an external provider that requires access to an internal non-ssl webpage. They are unable to provide IP address details to lock down the ACL. They have asked if we can allow access based on http-header-inspection within the request.

I believe this is possible using a class map to run the regex search for whatever he header string might be some form of AND rule such as;

(In english)

if outside->inside ACL ANY to HOST TCP 80 is true

&

if classmap regex is true

Then allow access.

Can you advise what type of technology would be required to get this working? If it is possible with the current 5515 technology what would you advise the answer is (or can you point me in the right direction to read the answer)?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎05-16-2013 09:56 AM

Hello Andrew,

With the MPF setup

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrew Sinclair

‎05-22-2013 04:22 PM

Hello Andrew,

Can we do it like this (No need for the regex class-map and lets use the header host):

class-map type inspect http match-all DENYCDNCLASS

           match not request header host regex CDNHEADER

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎05-16-2013 09:56 AM

Hello Andrew,

With the MPF setup

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Andrew Sinclair
Level 1
Level 1
In response to Julio Carvajal

‎05-22-2013 01:23 PM

I am not sure that we can do what we need to do with MPF.

What we have is a standard HTTP/80 domain test.example.com. This domain needs to be accessible from anywhere but only when the incoming HTTP session contains the HTTP header X-example: "somestring".

The way it works just now is a regex match has been created for "somestring".

This match is then added to an HTTP inspection policy as MATCH NOT and the string class.

This is then assigned to a service-policy that that has an ACL specified as ANY -> HOST.

I would have assumed that this means any traffic on that ACL will be inspected and any HTTP sessions that do NOT contain the string "somestring" would be dropped.

The reason for this is the only people who should have access to this page is a CDN network to cache the webpage however as they have so many source IP addresses it wouldn't be practical to create an ACL based on that logic.

Can anyone offer any advice on this topic. It would be greatly appreciated.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrew Sinclair

‎05-22-2013 02:37 PM

Hello Andrew,

It makes sense,

I mean I would match the traffic with an ACL with port 80 and then use a match-not with the specific regex and drop/reset option as you suggested,

Have you done it?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Andrew Sinclair
Level 1
Level 1

‎05-22-2013 04:03 PM

I will give this another test as soon as I can, I'm not sure I need to make the class CDN_REGEX_MAP, I think I could simply place the 'match not request header regex CDNHEADER' in the inspect policy. I will let you know how it goes. For sake of completeness I've included my code.

Thanks,

regex CDNHEADER "someheader"

class-map type regex match-any CDN_REGEX_MAP

           match regex CDNHEADER

class-map type inspect http match-all DENYCDNCLASS

           match not request header regex class CDN_REGEX_MAP

policy-map type inspect http CDNPOLICYMAP

           class DENYCDNCLASS

reset log

access-list OUTSIDE_MPF extended permit tcp any 1.1.1.1 eq 80

class-map OUTSIDEMPF-CMAP

           match access-list OUTSIDE_MPF

policy-map outside_policy

class OUTSIDEMPF-CMAP

inspect http CDNPOLICYMAP

service-policy outside_policy interface outside

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrew Sinclair

‎05-22-2013 04:22 PM

Hello Andrew,

Can we do it like this (No need for the regex class-map and lets use the header host):

class-map type inspect http match-all DENYCDNCLASS

           match not request header host regex CDNHEADER

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card