ā08-12-2011 05:10 AM - edited ā03-11-2019 02:10 PM
Hi all,
We have an ASA Version 8.0(5)19 as our firewall.
We are trying an cloud service on the internet and found that the ASA is removing the X-Forwarded-For on the header on the surf traffic.
Is it posible to not remove the X-Forwarded-For in ASA?
Regards Jan
ā08-13-2011 04:20 AM
I don't believe ASA natively remove X-Forwarded-For field within HTTP header.
Can you please share your ASA configuration as well as if you have CSC module installed on the ASA?
ā08-15-2011 12:16 AM
Hi,
No CSC module installed as fare as I known
But I am not an ASA expert, router is my thing.
I don want the share hole config to all.
Here is part of it:
dynamic-access-policy-record DfltAccessPolicy
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
!
service-policy global_policy global dynamic-access-policy-record DfltAccessPolicy
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
!
service-policy global_policy global
The only device between the internet and my computer is two Cisco router's and I sure they do not remove the X-Forwarded-For field within HTTP header.
So it most be the ASA that is doing this.
Jan
ā08-15-2011 12:49 AM
Base on the config, there isn't even inspection for HTTP traffic, so I am surprised that the ASA remove the field.
Pls run a packet capture on both interfaces of the ASA that the HTTP traffic traverse to confirm if ASA is indeed removing it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide