Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2018
Views
0
Helpful
3
Replies

Inspecting http traffic on the ASA

Colin Higgins
Level 2
Level 2

‎04-29-2012 10:30 AM - edited ‎03-11-2019 03:59 PM

The ASA default inspection policy includes a number of well-known applications and is applied globally on the system

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

Now http inspection is NOT enabled by default, so typically, what I have done, was to go into the class-inspection-default and add it:

class inspection_default

  inspect dns preset_dns_map

     inspect http

But I was reading through some Cisco documentation that indicates this may not work, or is not the way to do it. They recommend creating new class maps, policies, etc. Example:

hostname(config)#class-map http_traffic

hostname(config-cmap)#match port tcp eq 80

hostname(config)#policy-map http_traffic_policy

hostname(config-pmap)#class http_traffic

hostname(config-pmap-c)#inspect http

hostname(config)#service-policy http_traffic_policy global

So the question is, have I been doing this wrong? Will adding http inspection to the clsass inspection_default not work?

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-02-2012 08:52 PM

Hi Colin,

Which document was that? Basically when they say that it does not work correctly is because several sites out there (not a common problem with the ones hosted by Akamai) are using non RFC http parameters which result on the ASA dropping the packets and the end user not being able to open the web page.

Where did you see that document, is it a Cisco one? Can you share it?

Mike

Mike
0 Helpful

Colin Higgins
Level 2
Level 2
In response to Maykol Rojas

‎05-03-2012 05:58 AM

It was a Cisco document (I will try to find the link).

It said that http inspection is not enabled by default, but instead of instructing me to add it to the class inspection_default, it says to create a new class-map for http (see above).

It seemed like the implication here was that it wouldn't work within the inspection_default class, which makes no sense to me. Maybe I am just misreading it.

Have other people here added http to the class inspection_default?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Colin Higgins

‎05-03-2012 06:46 AM

I work for TAC and by the customers that I have, I've never seen it. Been there for a while now

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card