cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
5
Replies

Enabling Advanced HTTP application inspection

mahesh18
Level 6
Level 6

Hi Everyone,

For testing purposes i enable Advanced HTTP application inspection on ASA  globally.

Here is the config

policy-map type inspect http http_inspect_map

parameters

protocol-violation action  drop-connection log

match not response header  content-type application/msword?????????????????????

drop-connection  log

Need to know what does statement with ??????????????? have effect on ASA??????????

Enabled it globally

policy-map  global_policy

class  inspection_default

inspect http http_inspect_

After doing this i can open first page of any website but after that no other page opens up  here are the logs

Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34378 for outside:173.194.33.34/443  (173.194.33.34/443) to DMZ:192.168.70.5/29735  (192.168.71.74/29735)

Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34379 for outside:173.194.33.43/80  (173.194.33.43/80) to DMZ:192.168.70.5/29736  (192.168.71.74/29736)

Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34380 for outside:173.194.33.50/80  (173.194.33.50/80) to DMZ:192.168.70.5/29737  (192.168.71.74/29737)

Jun 30 2013 20:22:28:  %ASA-6-302013: Built outbound TCP connection 34381 for outside:173.194.33.50/80  (173.194.33.50/80) to DMZ:192.168.70.5/29738  (192.168.71.74/29738)

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.50:http://t2.gstatic.com/images?q=tbn:ANd9GcRylNXDAKorJERG8q6xKzFCVStYj3R5dqyCHsNoCu__abROPRFFXWFM6z5_y0B_Tm_Ox26cokA

Jun 30 2013 20:22:28:  %ASA-5-415008: HTTP - matched not response header content-type  application/msword in policy-map http_inspect_map, header matched - Dropping  connection from DMZ:192.168.70.5/29737 to outside:  173.194.33.50/80

Jun 30 2013 20:22:28:  %ASA-4-507003: tcp flow from DMZ:192.168.70.5/29737 to outside:173.194.33.50/80  terminated by inspection engine, reason - disconnected, dropped  packet.

Jun 30 2013 20:22:28:  %ASA-6-302014: Teardown TCP connection 34380 for outside:173.194.33.50/80 to  DMZ:192.168.70.5/29737 duration 0:00:00 bytes 382 Flow closed by  inspection

Jun 30 2013 20:22:28:  %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to  192.168.71.74/29737 flags PSH ACK  on interface  outside

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=7&gs_id=35&xhr=t&q=rediff.&es_nrs=true&pf=p&biw=1366&bih=622&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&tch=1&ech=7&psi=4efQUcL1GcPOiwL3wYAg.1372645345226...

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=4-fQUd3eMqrpiwL0nYCABQ&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4...  30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80  to 192.168.71.74/29737 flags PSH ACK  on interface  outside

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=8&gs_id=3j&xhr=t&q=rediff.c&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=8&psi=4efQUcL1GcPOiwL3wYAg.137264534522...

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=9&gs_id=3z&xhr=t&q=rediff.co&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=9&psi=4efQUcL1GcPOiwL3wYAg.13726453452...

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=5OfQUYiCCqbAigKa9ICICg&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4...  30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=10&gs_id=4j&xhr=t&q=rediff.com&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=10&psi=4efQUcL1GcPOiwL3wYAg.13726453...

Jun 30 2013 20:22:28:  %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to  192.168.71.74/29737 flags ACK  on interface outside

Need to understand the Config in ReD  and logs matched in Red color?

Regards

Mahesh

2 Accepted Solutions

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello My friend,

policy-map type inspect http http_inspect_map

parameters

protocol-violation action  drop-connection log

match not response header  content-type application/msword?????????????????????

drop-connection  log

That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.

So in the case you see the drops is due to the fact the response does not contain that header,

Did you configure that just for test purposes or is that what you are looking for

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello My friend,

policy-map type inspect http http_inspect_map

parameters

protocol-violation action  drop-connection log

match not response header  content-type application/msword?????????????????????

drop-connection  log

That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.

So in the case you see the drops is due to the fact the response does not contain that header,

Did you configure that just for test purposes or is that what you are looking for

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Just for testing purposes.

So when you say look for header msword does this mean when i open the website like say

www.google.com  it means that this url should have header msword other wise it will be dropped?

Regards

MAhesh

Hello,

The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for answering my question.

Yes  sir post is rated as usual.

Regards

Mahesh

Great,

Have a great day Mahesh

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: