04-29-2012 10:30 AM - edited 03-11-2019 03:59 PM
The ASA default inspection policy includes a number of well-known applications and is applied globally on the system
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Now http inspection is NOT enabled by default, so typically, what I have done, was to go into the class-inspection-default and add it:
class inspection_default
inspect dns preset_dns_map
inspect http
But I was reading through some Cisco documentation that indicates this may not work, or is not the way to do it. They recommend creating new class maps, policies, etc. Example:
hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy global
So the question is, have I been doing this wrong? Will adding http inspection to the clsass inspection_default not work?
05-02-2012 08:52 PM
Hi Colin,
Which document was that? Basically when they say that it does not work correctly is because several sites out there (not a common problem with the ones hosted by Akamai) are using non RFC http parameters which result on the ASA dropping the packets and the end user not being able to open the web page.
Where did you see that document, is it a Cisco one? Can you share it?
Mike
05-03-2012 05:58 AM
It was a Cisco document (I will try to find the link).
It said that http inspection is not enabled by default, but instead of instructing me to add it to the class inspection_default, it says to create a new class-map for http (see above).
It seemed like the implication here was that it wouldn't work within the inspection_default class, which makes no sense to me. Maybe I am just misreading it.
Have other people here added http to the class inspection_default?
05-03-2012 06:46 AM
I work for TAC and by the customers that I have, I've never seen it. Been there for a while now
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide