Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
1
Replies

Connection got reset whenever I try match something else in a type inspect Class-map

Difan Zhao
Level 5
Level 5

‎12-15-2010 09:14 PM - edited ‎03-11-2019 12:23 PM

Hi experts,

I'm testing the new 8.3(2) firmware on my lab 5510 ASA. I'm trying to block certain URL (facebook in my lab). It works fine when I just have one "match" clause. As soon as I have the second it starts to tear down all the http connection and I will get this error:

%ASA-4-507003: tcp flow from inside:192.168.201.100/1365 to outside:74.125.53.103/80 terminated by inspection engine, reason - reset unconditional.

Then if I reboot the ASA it will work fine again.

The following is my config (only the ones that I configured and different than the default). The problem happens whenever I add the match command to block the Youtube site. However after reboot it works fine again (block the two sites and allow the others). Interesting enough, it even happens when I remove the match command for the Youtube!!!

ciscoasa(config)# sh run

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.y.z.173 255.255.255.128

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.201.254 255.255.255.0

!

... (Eth0/2, Eth0/3 and M0/0 are not being used and shutdown)

!

!

regex Regex_URL01 "\.facebook\."

regex Regex_URL02 "\.youtube\."

!

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.1

name-server 4.2.2.2

object network Obj_inside

subnet 192.168.201.0 255.255.255.0

object network Obj_PIPPool

host x.y.z.174

object network Obj_PC100

host 192.168.201.100

object-group service Obj_BitTorrentTracker tcp

description "TCP ports used by BitTorrent for tracker communication"

port-object eq 2710

port-object eq 6969

object-group service Obj_BitTorrentDHT udp

port-object range 10001 65535

port-object range 1024 9999

access-list ACL_outside extended permit tcp any host 192.168.201.100 eq 3389

access-list ACL_inside extended deny tcp 192.168.201.0 255.255.255.0 any object-group Obj_BitTorrentTracker

access-list ACL_inside extended deny udp 192.168.201.0 255.255.255.0 any object-group Obj_BitTorrentDHT

access-list ACL_inside extended permit ip any any

access-list ACL_HTTP extended permit tcp any any eq www

pager lines 24

logging enable

logging buffer-size 1000000

logging console warnings

logging buffered warnings

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-634-53.bin

no asdm history enable

arp timeout 14400

!

object network Obj_inside

nat (inside,outside) dynamic Obj_PIPPool

object network Obj_PC100

nat (inside,outside) static Obj_PIPPool service tcp 3389 3389

access-group ACL_outside in interface outside

access-group ACL_inside in interface inside

route outside 0.0.0.0 0.0.0.0 x.y.z.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password R5UXNIZuW/MXMrBf encrypted privilege 15

!

class-map type inspect http match-any CMAP_Inspect_HTTP

match request header host regex Regex_URL01

match request header host regex Regex_URL02

class-map CMAP_HTTP

match access-list ACL_HTTP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect http PMAP_Inspect_HTTP

parameters

  protocol-violation action log

class CMAP_Inspect_HTTP

  drop-connection log

policy-map PMAP_inside

class CMAP_HTTP

  inspect http PMAP_Inspect_HTTP

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

service-policy PMAP_inside interface inside

prompt hostname context

call-home
...

!

I think it's a software bug. Or can anybody tell me what I did wrong???

Thanks!

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-16-2010 02:48 PM

The config looks good.

If it is reproducible I would suggest to open a case because it looks faulty behavior.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card