Skip navigation
Cisco Learning Home > CCNP Security Study Group > Discussions
726 Views 12 Replies Latest reply: Mar 19, 2012 2:28 PM by ericleahy - CCNP, CCDP, CCNA SEC RSS

Currently Being Moderated

ASA Inspection

Mar 12, 2012 2:57 AM

ericleahy - CCNP, CCDP, CCNA SEC 206 posts since
Jan 8, 2010

Hi guys,

 

I am having trouble getting the following to work with the ASA inspection. I have a server, 192.168.200.10, which has to go out onto the Internet to get updates from Microsoft. But this server also needs to talk to another server, 192.168.100.10, over port 80. The problem I am running into is when the server 192.168.200.10 needs to talk to server 192.168.100.10 the inspection engine is killing the connection. The inspection engine is looking for a header with 192.168.100.10 but does not see it and kills the connection. I have the following inspection rules configured;

 

regex microsoft ".*\.microsoft\.com.*"

 

regex update1 "192.168.100.10*"

 

access-list MATCH-WEB-TRAFFFIC extended permit tcp host 192.168.200.10 any eq www

 

class-map Http_allow

match access-list MATCH-WEB-TRAFFFIC

 

class-map type regex match-any mupdates_allow

match regex microsoft

 

class-map type regex match-any priv_updates

match regex update1

 

policy-map type inspect http PUBLIC-HTTP-ALLOWED

parameters

match not request header host regex class mupdates_allow

match not request header host regex class priv_updates

 

policy-map web_policy

class Http_allow

  inspect http PUBLIC-HTTP-ALLOWED

 

service-policy web_policy interface Inside_DMZ

 

If anyone can see where I am going wrong I would be so grateful to hear your input? I have spent SO much time trying to get this to work!!

 

Thank guys

Eric

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    Re: ASA Inspection

    Are both of those hosts on the inside interface? If so, is the ASA only seeing one direction of the connection due being used as a default gateway?

  • HMR 46 posts since
    Oct 27, 2008
    Currently Being Moderated
    Re: ASA Inspection

    Hey eric,

     

    Instead of creating two seprate regex class-map try to create one -

     

    class-map type regex match-any mupdates_allow

    match regex microsoft

    match regex update1

     

    policy-map type inspect http PUBLIC-HTTP-ALLOWED

    parameters

    match not request header host regex class mupdates_allow

     

    The deal here is that if you create the two diff match statement & ASA finds a Match in first statement it will inspect & forward the packet, & if it doesn't finds the match it will not look for the second statement & will drop the packet....

     

    So try this solution & let me know if it works....

     

    Cheers !!!!

  • Antonio Knox - CCNP CCNA-SEC CIOSSS 211 posts since
    Mar 25, 2009
    Currently Being Moderated
    Re: ASA Inspection

    I think that I could use a bit of education here myself.  Why would we use 'match not request header host' statements in the policy map parameters?  It looks counter-productive.  If I'm looking at this wrong, can someone please get me on board with a quick explanation as to why we wouldn't just 'match request header host' in this configuration?

  • HMR 46 posts since
    Oct 27, 2008
    Currently Being Moderated
    Re: ASA Inspection

    Hi knox,

     

    It is used when you dont want ASA to match something that regex specifies, i.e in the current example you want to inspect everything with the exception that you dont want to inspect traffic to Microsoft updates & 192.168.100.10 from 192.168.200.10

  • Antonio Knox - CCNP CCNA-SEC CIOSSS 211 posts since
    Mar 25, 2009
    Currently Being Moderated
    7. Mar 12, 2012 6:32 AM (in response to HMR)
    Re: ASA Inspection

    Awww, GEEZE!!!  I need to get more sleep !  I was expecting a 'pass' action for the update traffic.  I had a brain ****.  Thanks HMR for waking me up.

  • HMR 46 posts since
    Oct 27, 2008
    Currently Being Moderated
    Re: ASA Inspection

    I have faced this situation before, wherin i was denying few users access to to FB, but when i configured MPF to block this users from accessing FB, my users were not able to access my mail server on DMZ thru web browser, so i have to specify in the ACL not to match the traffic when user are going to DMZ network over port 80, below is the configuration :-

     

    access-list Block_FB extended deny object-group TCPUDP any 192.XXX.X.0 255.255.255.0 eq www

    access-list Block_FB extended permit object-group TCPUDP any any eq www

     

    regex facebook "[Ff][Aa][Cc][Ee][Bb][Oo][Oo][Kk]"

    regex Orkut "[Oo][Rr][Kk][Uu][Tt]"

    regex gtalk "chatenabled\.mail\.google\.com"

     

    class-map type regex match-any Block_URL_List

    match regex gtalk

    match regex facebook

    match regex Orkut

     

    class-map type inspect http match-all BLOCK_URL_CLASS

    match request header host regex class Block_URL_List

     

    policy-map type inspect http BLOCK_URL_POLICY_MAP

    parameters

      protocol-violation action drop-connection

    class BLOCK_URL_CLASS

      drop-connection

     

    So in your scenario you can do one more thing....you can create a deny statement in ur ACL, so your ACL will look like :-

     

    access-list MATCH-WEB-TRAFFFIC extended Deny tcp host 192.168.200.10 host 192.168.100.10 eq www

    access-list MATCH-WEB-TRAFFFIC extended permit tcp host 192.168.200.10 any eq www

     

    Let me know if this works....cheers !!!

  • HMR 46 posts since
    Oct 27, 2008
    Currently Being Moderated
    Re: ASA Inspection

    Your welcom Eric, hey can you tell me in detail what excatly do you want, I am still confused on your requirement, what i understand intially was this :-

     

    when you r going from IP 200.10 to internet to access Microsoft site ASA inspection engine was allowing it (not doing inspection) because of the class map & policy map where you have defined that if request is coming from IP 200.10 with the HTTP protocol in use containing request header *\.microsoft\.com.*" do not inspect it....right.

     

    in the same way what exactly do you want to have for the traffic from 200.10 destined to 100.10  & also what exact service on port 80 are you using on 100.10 from 200.10

     

    This info would be helpful & required to create more granular...MPF....thanks

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)