regular expression matching of custome http headers
I am working on an existing configuration that applies a regular expression policy-map to inspect the HTTP headers of all HTTP packets destined for a single web server. Currently we check to make sure two custom headers exist in the HTTP 1.1 packet and if they do not we drop the packet. We now have another partner who needs to access the web server and we want to check for a second pair of headers. My problem is finding either some kind of logic operator in the policy map to say [ IF (BOTH "header-a-1" and "header-a-2") OR (BOTH "header-b-1" and "header-b-2") ] or modifying my current config with some better regular expressions.
I am working on an ASA 5520 running 8.4(3). This is my current configuration and it works for checking only the original pair of custom headers:
access-list whitelist extended permit tcp any host 10.0.0.10 eq www
class-map type inspect http match-all header-class
match not request header regex header1 count gt 0
match not request header regex header2 count gt 0
match access-list whitelist
policy-map type inspect http header-policy
inspect http header-policy
service-policy global_policy global
**we want to whitelist some source addresses, hence the whitelist ACL
With out some way to implement logic operators, the only option I see to have the firewall look for either pair is to write a better regex expression that will check for both headers in one statement. This is where I am having issues. I can not figure out a regex expression that will look for both 'header-a-1" and "header-a-2". For example I tried modifying the config to the following but could not get it to work:
regex headera1 "(header-a-1)(.)*(header-a-2)"
regex headera2 "(header-a-2)(.)*(header-a-1)"
regex headerb1 "(header-b-1)(.)*(header-b-2)"
regex headerb2 "(header-b-2)(.)*(header-b-1)"
class-map type inspect http match-any header-class
match not request header regex headera1 count gt 0
match not request header regex headera2 count gt 0
match not request header regex headerb1 count gt 0
match not request header regex headerb2 count gt 0
I was helping some friends and they were trying to solve a scalable VPN issues, specially these days with the pandemic situation.
I recommended to implement ASA VPN Load-Balancing.
This will allow to keep 1 FQDN for all RA-VPN users an...
Purpose of this article is to share our experience during that Covid-19 period where we were able to successfully setup a VPN configuration for remote worker using Alcatel 8068S phones with FTD 2110 running 184.108.40.206.I would like to thank all of my colleagu...
If you have ever configured central web authentication with ISE you understand that it requires one to configure ACL that dictates what traffic is to be redirected vs. let through without redirection. You also understand that this ACL needs to be config...
Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that can manage security products like the Adaptive Security Appliance (ASA), the Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.&nb...