Detecting Proxy HTTP traffic on ASA 5520

nmoore1978 · ‎02-22-2011

I'm not sure if this is the best location for this discussion. I want to make sure that my group policy objects are working to deny users the ability to use proxy servers to browse the web which would bypass my non Cisco content filter. How can I determine if there is HTTP traffic going in/out of nonstandard ports?

Thanks,

Nick

mirober2 · ‎02-22-2011

Hi Nick,

You are trying to block HTTP traffic on all ports except TCP/80 correct? If so, you can use something like this:

access-list nonhttp-acl extended deny tcp any any eq www
access-list nonhttp-acl extended permit tcp any any
!
regex allhosts "[0-9a-z]*"
!
class-map type inspect http match-all block-all
   match request header host regex allhosts
class-map nonhttp-class
   match access-list nonhttp-acl
!
policy-map type inspect http block-http-proxy
 parameters
 class block-all
   drop-connection log
policy-map noproxy-policy
 class nonhttp-class
   inspect http block-http-proxy
!
service-policy noproxy-policy interface lab

This will put all non-port 80 traffic through the HTTP inspection engine. If the inspection finds an HTTP header going to any host, it will drop the connection.

I tested this briefly in the lab and it does what you're looking for, but you may want to test it first in your environment as you'll be pushing a lot of traffic through the HTTP inspection which will certainly add some overhead to the ASA's packet processing.

Hope that helps.

-Mike

nmoore1978 · ‎02-23-2011

Hi Mike,

Thanks for the tip. I'll check it out this weekend when we have lower utilitzation and test it.

Thanks again,

Nick