ASA 5520 8.3(1) Default Inspection Engine dropping connections

lcc_cco · ‎05-26-2011

Hello,

I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine? Below is an example of the log message.

Severity Date Time Syslog ID Source IP Source Port Destination IP Destination Port Description

4 May 6 2011 09:51:55 507003 10.2.2.51 2546 65.55.40.183 80 tcp flow from trust:10.2.2.51/2546 to untrust:65.55.40.183/80 terminated by inspection engine, reason - disconnected, dropped packet.

mirober2 · ‎05-31-2011

Hello,

You can configure an exception for sites based on their IP address by using an ACL in a class-map. For example:

access-list http-acl deny tcp any host 65.55.40.183 eq www
access-list http-acl permit tcp any any eq www
!
class-map http-class
  match access-list http-acl
!
policy-map global_policy
  class http-class
     inspect http
!
service-policy global_policy global

You would want to remove your default inspection as well. Any IP address that is denied by the http-acl will not be affected by the inspection engine.

Hope that helps.

-Mike