Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
2
Replies

ASA exclude

Matthias Jeker
Level 1
Level 1

‎03-19-2015 12:44 AM - edited ‎03-11-2019 10:39 PM

Hi community

One of our customers is facing a porblem with the default HTTP inspection (page loads slowly). I now tried to exclude this specific range via the MPF of the ASA (IPs are just for example):

access-list http-inspection extended deny tcp host 172.22.10.50 host 8.8.8.8 eq www

class-map http-inspection
 match access-list http-inspection
 
policy-map global_policy
 class inspection_default
  inspect icmp
  <snip>
  inspect ip-options
 class http-inspection
  inspect http

 

The packet-tracer shows, that with this ACL only traffic from 172.22.10.50 to 8.8.8.8 is inspected. Traffic from 172.22.10.50 to 7.7.7.7 for example is not expected. I tried to modify the ACL to a permit:

access-list http-inspection extended permit tcp host 172.22.10.50 host 8.8.8.8 eq www

In the packet-tracer this shows me the exact same result. I checked this option in the ASDM. There is an option for "DO NOT MATCH" and the ACL is with a deny statement. From this I would assume that it is possible to exclude some traffic from the inspection.

 

Has anyone a solution on this?

 

Regards

Matthias

Labels:
0 Helpful
2 Replies 2

Matthias Jeker
Level 1
Level 1

‎03-20-2015 12:37 AM

*push*

0 Helpful

Matthias Jeker
Level 1
Level 1

‎03-24-2015 12:39 AM

Solved. This is a bug in the packet-tracer which doesn't look up the MPF correctly. You should use show service-policy flow instead.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card