06-30-2013 09:59 PM - edited 03-11-2019 07:05 PM
Hi Everyone,
For testing purposes i enable Advanced HTTP application inspection on ASA globally.
Here is the config
policy-map type inspect http http_inspect_map
parameters
protocol-violation action drop-connection log
match not response header content-type application/msword?????????????????????
drop-connection log
Need to know what does statement with ??????????????? have effect on ASA??????????
Enabled it globally
policy-map global_policy
class inspection_default
inspect http http_inspect_
After doing this i can open first page of any website but after that no other page opens up here are the logs
Jun 30 2013 20:22:27: %ASA-6-302013: Built outbound TCP connection 34378 for outside:173.194.33.34/443 (173.194.33.34/443) to DMZ:192.168.70.5/29735 (192.168.71.74/29735)
Jun 30 2013 20:22:27: %ASA-6-302013: Built outbound TCP connection 34379 for outside:173.194.33.43/80 (173.194.33.43/80) to DMZ:192.168.70.5/29736 (192.168.71.74/29736)
Jun 30 2013 20:22:27: %ASA-6-302013: Built outbound TCP connection 34380 for outside:173.194.33.50/80 (173.194.33.50/80) to DMZ:192.168.70.5/29737 (192.168.71.74/29737)
Jun 30 2013 20:22:28: %ASA-6-302013: Built outbound TCP connection 34381 for outside:173.194.33.50/80 (173.194.33.50/80) to DMZ:192.168.70.5/29738 (192.168.71.74/29738)
Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.50:http://t2.gstatic.com/images?q=tbn:ANd9GcRylNXDAKorJERG8q6xKzFCVStYj3R5dqyCHsNoCu__abROPRFFXWFM6z5_y0B_Tm_Ox26cokA
Jun 30 2013 20:22:28: %ASA-5-415008: HTTP - matched not response header content-type application/msword in policy-map http_inspect_map, header matched - Dropping connection from DMZ:192.168.70.5/29737 to outside: 173.194.33.50/80
Jun 30 2013 20:22:28: %ASA-4-507003: tcp flow from DMZ:192.168.70.5/29737 to outside:173.194.33.50/80 terminated by inspection engine, reason - disconnected, dropped packet.
Jun 30 2013 20:22:28: %ASA-6-302014: Teardown TCP connection 34380 for outside:173.194.33.50/80 to DMZ:192.168.70.5/29737 duration 0:00:00 bytes 382 Flow closed by inspection
Jun 30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to 192.168.71.74/29737 flags PSH ACK on interface outside
Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=7&gs_id=35&xhr=t&q=rediff.&es_nrs=true&pf=p&biw=1366&bih=622&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&tch=1&ech=7&psi=4efQUcL1GcPOiwL3wYAg.1372645345226...
Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=4-fQUd3eMqrpiwL0nYCABQ&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4... 30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to 192.168.71.74/29737 flags PSH ACK on interface outside
Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=8&gs_id=3j&xhr=t&q=rediff.c&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=8&psi=4efQUcL1GcPOiwL3wYAg.137264534522...
Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=9&gs_id=3z&xhr=t&q=rediff.co&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=9&psi=4efQUcL1GcPOiwL3wYAg.13726453452...
Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=5OfQUYiCCqbAigKa9ICICg&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4... 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=10&gs_id=4j&xhr=t&q=rediff.com&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=10&psi=4efQUcL1GcPOiwL3wYAg.13726453...
Jun 30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to 192.168.71.74/29737 flags ACK on interface outside
Need to understand the Config in ReD and logs matched in Red color?
Regards
Mahesh
Solved! Go to Solution.
06-30-2013 10:09 PM
Hello My friend,
policy-map type inspect http http_inspect_map
parameters
protocol-violation action drop-connection log
match not response header content-type application/msword?????????????????????
drop-connection log
That says:
If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.
So in the case you see the drops is due to the fact the response does not contain that header,
Did you configure that just for test purposes or is that what you are looking for
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 10:16 PM
Hello,
The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 10:09 PM
Hello My friend,
policy-map type inspect http http_inspect_map
parameters
protocol-violation action drop-connection log
match not response header content-type application/msword?????????????????????
drop-connection log
That says:
If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.
So in the case you see the drops is due to the fact the response does not contain that header,
Did you configure that just for test purposes or is that what you are looking for
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 10:13 PM
Hi Julio,
Just for testing purposes.
So when you say look for header msword does this mean when i open the website like say
www.google.com it means that this url should have header msword other wise it will be dropped?
Regards
MAhesh
06-30-2013 10:16 PM
Hello,
The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 10:21 PM
Hi Julio,
Thanks for answering my question.
Yes sir post is rated as usual.
Regards
Mahesh
06-30-2013 10:24 PM
Great,
Have a great day Mahesh
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: