cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6959
Views
0
Helpful
3
Replies

Cisco ASA and X-Forwarded-For header

Jan Rockstedt
Beginner
Beginner

Hi all,

We have an  ASA Version 8.0(5)19 as our firewall.

We are trying an cloud service on the internet and found that the ASA is removing the X-Forwarded-For on the header on the surf traffic.

Is it posible to not remove the X-Forwarded-For in ASA?

Regards Jan

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

I don't believe ASA natively remove X-Forwarded-For field within HTTP header.

Can you please share your ASA configuration as well as if you have CSC module installed on the ASA?

Hi,

No CSC module installed as fare as I known

But I am not an ASA expert, router is my thing.


I don want the share hole config to all.

Here is part of it:

dynamic-access-policy-record DfltAccessPolicy

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ftp

!

service-policy global_policy global dynamic-access-policy-record DfltAccessPolicy
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ftp
!
service-policy global_policy global

The only device between the internet and my computer is two Cisco router's and I sure they do not remove the X-Forwarded-For field within HTTP header.

So it most be the ASA that is doing this.

Jan

Base on the config, there isn't even inspection for HTTP traffic, so I am surprised that the ASA remove the field.

Pls run a packet capture on both interfaces of the ASA that the HTTP traffic traverse to confirm if ASA is indeed removing it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: