Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
7219
Views
0
Helpful
3
Replies

Cisco ASA and X-Forwarded-For header

Jan Rockstedt
Level 1
Level 1

ā€Ž08-12-2011 05:10 AM - edited ā€Ž03-11-2019 02:10 PM

Hi all,

We have an  ASA Version 8.0(5)19 as our firewall.

We are trying an cloud service on the internet and found that the ASA is removing the X-Forwarded-For on the header on the surf traffic.

Is it posible to not remove the X-Forwarded-For in ASA?

Regards Jan

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

ā€Ž08-13-2011 04:20 AM

I don't believe ASA natively remove X-Forwarded-For field within HTTP header.

Can you please share your ASA configuration as well as if you have CSC module installed on the ASA?

0 Helpful

Jan Rockstedt
Level 1
Level 1
In response to Jennifer Halim

ā€Ž08-15-2011 12:16 AM

Hi,

No CSC module installed as fare as I known

But I am not an ASA expert, router is my thing.


I don want the share hole config to all.

Here is part of it:

dynamic-access-policy-record DfltAccessPolicy

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ftp

!

service-policy global_policy global dynamic-access-policy-record DfltAccessPolicy
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ftp
!
service-policy global_policy global

The only device between the internet and my computer is two Cisco router's and I sure they do not remove the X-Forwarded-For field within HTTP header.

So it most be the ASA that is doing this.

Jan

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jan Rockstedt

ā€Ž08-15-2011 12:49 AM

Base on the config, there isn't even inspection for HTTP traffic, so I am surprised that the ASA remove the field.

Pls run a packet capture on both interfaces of the ASA that the HTTP traffic traverse to confirm if ASA is indeed removing it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card