Re: ASA port-misuse issues

stevezups · ‎07-18-2005

Hi all,

I just got an ASA 5520 VPN Plus and I'm having trouble blocking p2p and im programs.

The problem is when I block p2p and im programs, no other web sites work. Here is my config below.

ASA Version 7.0(1)

names

!

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif Internet

security-level 0

ip address xxxxxxxxx

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

enable password xxxx

passwd xxxx

hostname xxxxxxx

domain-name xxxxxxx

ftp mode passive

access-list 100 extended permit ip any any

!

http-map test-http

port-misuse p2p action drop

port-misuse tunnelling action allow

port-misuse im action drop

port-misuse default action allow

!

pager lines 24

logging buffered debugging

logging asdm informational

mtu Inside 1500

mtu Internet 1500

mtu management 1500

no failover

monitor-interface Inside

monitor-interface Internet

monitor-interface management

asdm image disk0:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (Inside) 1 192.168.10.0 255.255.255.0

route Internet xxxxxxx

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.10.2 255.255.255.255 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map test

match access-list 100

!

policy-map policy

class test

inspect http test-http

!

service-policy policy global

Thanks

Stevan

gfullage · ‎07-18-2005

As soon as you define a http-map it tells the PIX to start strict HTTP inspection, regardless of the other specific parameters you set within the http-map. I think what might be going on is the fact your class-map is directing ALL IP traffic through this http-map via access-list 100, and because that traffic is not actually HTTP it is dropped by the strict inspection rules.

I would suggest changing your class map to only send HTTP packets through the http-map, that should allow all other packets to flow through correctly (and it will speed them up greatly also). The following should resolve your problem:

class-map test

match port tcp eq 80

This will ensure that only HTTP packets are sent through the HTTP inspection engine, which makes sense anyway. Another way to do it, especially if you want to define a few different port numbers as HTTP traffic (8080, 8800, etc), is to change your ACL 100 to define only TCP traffic on those ports, rather than "ip any any" as you currently have.

stevezups · ‎07-19-2005

Hi, and thanks for the feedback.

I tried doing what you wrote. The problem is that im and p2p applications are still being let through. I need to block im and p2p programs.

Thanks for your help

Stevan

ThomasMoeller · ‎07-22-2005

Hi,

For version 7.0 not all p2p & im gets detected.

p2p: only detects Kazaa & Gnutella.

im: only detects Yahoo messenger

-

You could try turning it around like this:

http-map test-http

port-misuse tunnelling action allow

port-misuse default action drop log

Remember to only match port 80 traffic in your class-map.

I hope this helps.

-Thomas

JasonPia · ‎12-14-2005

It doesn't work - it's a bug (and still is!) - see CSCsb41742