Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2851
Views
0
Helpful
4
Replies

HTTPS inspection

harisapkota123
Level 1
Level 1

‎02-24-2011 10:17 PM - last edited on ‎03-25-2019 05:45 PM by Community Manager

Dear all,

I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?? Any response will be appreciated.

Thanks in Advance

Hari,

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-24-2011 10:29 PM

No, there is no software update on CSC module that will allow that because to be able to unencrypt the HTTPS traffic and inspect it, you will be required to perform man-in-the-middle as the packet is encrypted, and CSC-module is not capable of doing that.

0 Helpful

DAVID THORNTON
Level 1
Level 1
In response to Jennifer Halim

‎08-20-2014 07:36 AM

Hello

http inspection working; but https gets me to the page i am trying to hide..

i can block

http://xxx.whatever.com/somewhere_i_want_to_hide/page.html

using the documents referenced above

owever; if i prepend the url with https:// this bypasses the http inspection on the ASA (V9)

 

now i understand "deep packet" inspection is not possible due to encryption under SSL but why cant the ASA block the access to the page seeing as the top level url is not actually anything but clear text?

this is my code snippet that works ok to block the http with "webservices" in it

i need to do the same for https:// {blah-webservices-blah}

 

regex blockex1 ".*webservices.*\.svc"

 

 

class-map inspection_default

 match default-inspection-traffic

class-map type inspect http match-any block-url-class

 match request uri regex blockex1

!

policy-map type inspect http block-url-policy

 parameters

 class block-url-class

  drop-connection log

policy-map global_policy

 description inspect and block specific http URI requests

 class inspection_default

.

.

  inspect http block-url-policy

!

service-policy global_policy global

 

 

thanks

dave

 

 

0 Helpful

Pavel Pokorny
Level 1
Level 1
In response to DAVID THORNTON

‎08-20-2014 11:42 AM

Hi,

I'm afraid, when used protocol is https (and not http), so http inspection won't work.

You can try this:

http://www.tunnelsup.com/using-just-a-cisco-asa-to-block-specific-websites

 

HTH,

 

Pavel

0 Helpful

Pavel Pokorny
Level 1
Level 1

‎02-25-2011 05:55 AM

HI,

I am afraid the only one thing you can do, is http inspection with uri orl url regex and then appropriate action.

Nice document to this : https://supportforums.cisco.com/docs/DOC-1268

HTH

Pavel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card