12-28-2009 11:00 AM - edited 03-11-2019 09:52 AM
Hi,
One of my clients needs to allow only their cache servers to access their webservers on port 80. No one else should be able to access these servers from outside. We cannot filter using source IP because, we do not have the list of all cache servers.
So, we have to filter the traffic based on a "header: value" pair available in the HTTP Request Header. Any HTTP request coming from the cache servers will have "testcache: ourcacheserver" as a pair in the HTTP request header. I would like to look for any http request header that does not have this pair and reset that connection. So, only the HTTP connections from cache servers will be successful.
I am using the MPF configuration shown below to implement this. But, there seems to be something wrong in my logic. The "match not request header regex cheader regex class Cache-Request" command does not seem to be working according to my understanding.
I was thinking that "match not request header regex cheader regex class Cache-Request" would match everything but the traffic coming from cache servers.
Please let me know if my understanding of the "match not request header" command is wrong. Or, let me know if there is any other logic I could use to address the requirement.
Regards,
Suresh
*********************************
regex cheader “testcache”
regex cvalue “ourcacheserver”
Class-map type regex match-any Cache-Request
match regex cvalue
class-map type inspect http match-all Non-Cache-Traffic
match not request header regex cheader regex class Cache-Request
policy-map type inspect http Non-Cache-Pmap
class Non-Cache-Traffic
reset log
access-list 11server-httptraffic extended permit tcp any 1.1.1.1 eq www
class-map 11server-cmap
match access-list 11server-httptraffic
policy-map outside_policy
class 11server-cmap
inspect http Non-Cache-Pmap
service-policy outside_policy interface outside
12-28-2009 03:47 PM
You logic is tirht, it will match and reset all but the traffic in the match.
I think you haven't identified what you want to block properly though.
You are resetting everything that does not match both reges at the same time. One reges is in a class and the other in a regex "match not request header regex cheader regex class Cache-Request"
Are these HTTP GETs, are you talking about the host or the URI field? I think that is what you have misconfigured.
Please look at example https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls that I believe has exactly what you want to do.
I hope it helps.
PK
12-28-2009 04:41 PM
Hi PK,
The new "header: value" pair will be in the HTTP request header. We have customized the cache server on the Internet to send this custom "header: value" pair in the request to the web server. For example, one of the http requests from the cache server to the web server should look like the following.
*******
host: webserver.com\r\n
testcache: ourcacheserver\r\n
*******
I want ASA to look for this string and allow the connection. If the string is not present, drop the connection.
I am thinking the command "match not request header regex cheader regex class Cache-Request" should translate to "match not request header testcache ourcacheserver"
Regards,
Suresh
12-29-2009 06:27 AM
Suresh,
From what you are descibing the logic and the setup are fine.
Please open a TAC for troubleshooting but your configuration is right. They will need a capture of your HTTP request.
Regards,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide