cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

828
Views
0
Helpful
3
Replies
matthiasbuchholz
Beginner

HTTP Inspection Cisco PIX 525

I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.

My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"

My class-maps are: 

!

class-map type regex match-any HACKBLOCK_METHOD

match regex GET

class-map XXXXTWBLOCK

match access-list HACKBLOCK_HOSTS

class-map type regex match-any HACKBLOCK_URL

match regex HACKBLOCK

class-map type inspect http match-all HACKBLOCK_FILTER

match request uri regex class HACKBLOCK_URL

class-map inspection_default

match default-inspection-traffic

My policy-maps are:

!

policy-map type inspect http HACKBLOCK_HTTP

parameters

class HACKBLOCK_FILTER

  log

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect dns

  inspect h323 ras

class XXXXTWBLOCK

  inspect http HACKBLOCK_HTTP

policy-map OUTSIDE

class XXXXTWBLOCK

  inspect http HACKBLOCK_HTTP

class class-default

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 1200

As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:

#sh service-pol inspec http

!

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

    Class-map: XXXXTWBLOCK

      Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0

        protocol violations

          packet 34206

        class HACKBLOCK_FILTER

          log, packet 0

enp-amer-clt-pix525-a#

I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp

Any idea whats going on here and why I am not macthing the HTTP uri's ????

Thanks,

Matthias  CCIE# 28445

3 REPLIES 3
Harish Balakrishnan
Enthusiast

Hello Matthias

Can you Make sure that your acl HACKBLOCK_HOSTS properly configured  and you are getting hits on the ACL when you are trying ?

regards

Harish.