08-08-2013 10:43 AM - edited 03-11-2019 07:23 PM
I'm currently using the Inspection Engine to prevent most users from accessing .zip (and the like) files. However, this also blocking some websites used during daily business. I keep getting the following or similar syslog message:
%ASA-4-507003: tcp flow from Inside:X.X.X.X/62401 to External:X.X.X.X/80 terminated by inspection engine, reason - reset unconditionally.
Below is my config:
regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*\.([Mm][Ss][Ii]) HTTP/1.[01]"
regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
!
class-map type regex match-any URLBlockList
match regex urllist1
match regex urllist2
match regex urllist3
match regex urllist4
!
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
!
class-map type inspect http match-all BlockURLsClass
match request uri regex class URLBlockList
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockURLsClass
reset log
!
policy-map Inside-policy
class Inside-class
inspect http http_inspection_policy
Any Ideas?
08-19-2013 07:13 AM
The problem is not due to the urllists, but rather the regex applicationheader "application/.*" class-map type inspect http match-all AppHeaderClass match response header regex contenttype regex applicationheader class AppHeaderClass drop-connection log Due to this configuration, on the response, the ASA sees application/xxxxx from nearly all websites and drops the connection. If this configuration is removed, the problem is no longer seen. The urllists can also be modified to appropriately block download files by removing HTTP/1.[01] from the string and by placing a space at the end to specify a match at the end of the uri.
-Robert Garrett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide