Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
6
Replies

ASA HTTP inspection

Sheraz.Salim
VIP
VIP

‎08-02-2015 11:02 AM - edited ‎03-11-2019 11:22 PM

Hello Everyone. 

we are testing a HTTP inspection on ASA for our corporate network in development network. after doing config of the commands 

policy-map type inspect http HTTP_Inspection_Map
 description Inspect the HTTP traffic
 parameters
  protocol-violation action drop-connection log
 match req-resp content-type mismatch
  drop-connection log

 

policy-map global_policy
 class inspection_default
  inspect http HTTP_Inspection_Map

 

 

The clinets are not going on any webpage apart from if we tell them to do a  https in web browser (https://bing.com). Kindly please suggest what could be the casue of the issue.

 

 Inspect: http HTTP_Inspection_Map, packet 11444, drop 74, reset-drop 0

 

please do not forget to rate.
Labels:
0 Helpful
6 Replies 6

johnlloyd_13
Level 9
Level 9

‎08-03-2015 12:12 AM

hi,

did you configure ACL and class-maps for both HTTP and HTTPS traffic?

did you also apply your 'service-policy' map to an interface?

a lot of times it's applied to the 'inside' interface.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to johnlloyd_13

‎08-03-2015 05:15 AM

Johnlloyd

I configure the policy in global policy so i beleive i do not need to configure a ACL?

please do not forget to rate.
0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Sheraz.Salim

‎08-03-2015 06:58 AM

hi,

you still need it.

what are you trying to achieve in this setup?

are you re-directing traffic to a proxy server or to an appliance (i.e. websense)?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to johnlloyd_13

‎08-03-2015 07:41 AM

Hi Johnlloyd

we are using a websense virtual appliance. Does HTTP inspection must have to work in conjunction with proxy server or websense.

I assumed the ASA http inspection with these above setting will do the job even without websense?

 

the aim is to ASA inspection HTTP traffic and if there is a violation of the protocol than that traffic must be drop and reset the HTTP connection. 

please do not forget to rate.
0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Sheraz.Salim

‎08-03-2015 07:27 PM

hi,

we're also doing websense redirect for a client but not using the MPF. i've checked my ASA config and it has CLI similar to below:

url-server (inside) vendor websense host <WEBSENSE IP> timeout 30 protocol TCP version 1 connections 10

filter https 443 <INSIDE LAN SUBNET> <SM> 0.0.0.0 0.0.0.0 allow

0 Helpful

Sheraz.Salim
VIP
VIP
In response to johnlloyd_13

‎08-04-2015 01:42 AM

thanks Johnlloyds.

Seems I was under impression that ASA can do http inspection as standalone but seem it could not do this. thank you for your valued input.

 

Best Regards.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card