12 Replies Latest reply: Mar 19, 2012 2:28 PM by ericleahy - CCNP, CCDP, CCNA SEC RSS

    ASA Inspection

    ericleahy - CCNP, CCDP, CCNA SEC

      Hi guys,

       

      I am having trouble getting the following to work with the ASA inspection. I have a server, 192.168.200.10, which has to go out onto the Internet to get updates from Microsoft. But this server also needs to talk to another server, 192.168.100.10, over port 80. The problem I am running into is when the server 192.168.200.10 needs to talk to server 192.168.100.10 the inspection engine is killing the connection. The inspection engine is looking for a header with 192.168.100.10 but does not see it and kills the connection. I have the following inspection rules configured;

       

      regex microsoft ".*\.microsoft\.com.*"

       

      regex update1 "192.168.100.10*"

       

      access-list MATCH-WEB-TRAFFFIC extended permit tcp host 192.168.200.10 any eq www

       

      class-map Http_allow

      match access-list MATCH-WEB-TRAFFFIC

       

      class-map type regex match-any mupdates_allow

      match regex microsoft

       

      class-map type regex match-any priv_updates

      match regex update1

       

      policy-map type inspect http PUBLIC-HTTP-ALLOWED

      parameters

      match not request header host regex class mupdates_allow

      match not request header host regex class priv_updates

       

      policy-map web_policy

      class Http_allow

        inspect http PUBLIC-HTTP-ALLOWED

       

      service-policy web_policy interface Inside_DMZ

       

      If anyone can see where I am going wrong I would be so grateful to hear your input? I have spent SO much time trying to get this to work!!

       

      Thank guys

      Eric

        • 1. Re: ASA Inspection
          Paul Stewart  -  CCIE Security

          Are both of those hosts on the inside interface? If so, is the ASA only seeing one direction of the connection due being used as a default gateway?

          • 2. Re: ASA Inspection
            ericleahy - CCNP, CCDP, CCNA SEC

            Hi Paul,

             

            Both hosts are not on the same interface. The host 192.168.200.10 sits in the inside_DMZ and host 192.168.100.10 sits in the web_DMZ. So the problem is when the host 192.168.200.10 needs to talk to host 192.168.100.10 over port 80 on another DMZ interface, the connection is been killed.

             

            Thanks for the quick reply

             

            Eric

            • 3. Re: ASA Inspection
              ericleahy - CCNP, CCDP, CCNA SEC

              I do understand if I put the following rule in place it will tell the firewall not to inspect the traffic,

               

              access-list MATCH-WEB-TRAFFFIC extended line 1 deny tcp host 192.168.200.10 host 192.168.100.10 eq www

               

              But I would like to know if there is another way of doing this, as I would still like to inspect traffic between these two hosts?

              • 4. Re: ASA Inspection
                HMR

                Hey eric,

                 

                Instead of creating two seprate regex class-map try to create one -

                 

                class-map type regex match-any mupdates_allow

                match regex microsoft

                match regex update1

                 

                policy-map type inspect http PUBLIC-HTTP-ALLOWED

                parameters

                match not request header host regex class mupdates_allow

                 

                The deal here is that if you create the two diff match statement & ASA finds a Match in first statement it will inspect & forward the packet, & if it doesn't finds the match it will not look for the second statement & will drop the packet....

                 

                So try this solution & let me know if it works....

                 

                Cheers !!!!

                • 5. Re: ASA Inspection
                  Antonio Knox - CCNP R&S, CCNA R&S/Security

                  I think that I could use a bit of education here myself.  Why would we use 'match not request header host' statements in the policy map parameters?  It looks counter-productive.  If I'm looking at this wrong, can someone please get me on board with a quick explanation as to why we wouldn't just 'match request header host' in this configuration?

                  • 6. Re: ASA Inspection
                    HMR

                    Hi knox,

                     

                    It is used when you dont want ASA to match something that regex specifies, i.e in the current example you want to inspect everything with the exception that you dont want to inspect traffic to Microsoft updates & 192.168.100.10 from 192.168.200.10

                    • 7. Re: ASA Inspection
                      Antonio Knox - CCNP R&S, CCNA R&S/Security

                      Awww, GEEZE!!!  I need to get more sleep !  I was expecting a 'pass' action for the update traffic.  I had a brain ****.  Thanks HMR for waking me up.

                      • 8. Re: ASA Inspection
                        ericleahy - CCNP, CCDP, CCNA SEC

                        Hi HMR,

                         

                        My understanding is within the policy-map you can have multiple statment's? Now I did forget to put in my config output the reset under the match statment's;

                         

                        policy-map type inspect http PUBLIC-HTTP-ALLOWED

                        parameters

                        match not request header host regex class mupdates_allow

                        match not request header host regex class priv_updates

                        reset

                         

                        So how I understand it is if it does find a match for any of the class maps it will pass it and drop everything else? Also I am under the impression that the ASA does not work in a top down approach. It will pick one of the statment's at random when inspecting traffic.

                         

                        I think my problem is that the traffic going to 192.168.100.10 is over port 80 and is not over any URL and also has no header. So this is the why the inspection engein is blocking the traffic.

                         

                        Thanks for the input guys

                         

                        Eric

                        • 9. Re: ASA Inspection
                          HMR

                          I have faced this situation before, wherin i was denying few users access to to FB, but when i configured MPF to block this users from accessing FB, my users were not able to access my mail server on DMZ thru web browser, so i have to specify in the ACL not to match the traffic when user are going to DMZ network over port 80, below is the configuration :-

                           

                          access-list Block_FB extended deny object-group TCPUDP any 192.XXX.X.0 255.255.255.0 eq www

                          access-list Block_FB extended permit object-group TCPUDP any any eq www

                           

                          regex facebook "[Ff][Aa][Cc][Ee][Bb][Oo][Oo][Kk]"

                          regex Orkut "[Oo][Rr][Kk][Uu][Tt]"

                          regex gtalk "chatenabled\.mail\.google\.com"

                           

                          class-map type regex match-any Block_URL_List

                          match regex gtalk

                          match regex facebook

                          match regex Orkut

                           

                          class-map type inspect http match-all BLOCK_URL_CLASS

                          match request header host regex class Block_URL_List

                           

                          policy-map type inspect http BLOCK_URL_POLICY_MAP

                          parameters

                            protocol-violation action drop-connection

                          class BLOCK_URL_CLASS

                            drop-connection

                           

                          So in your scenario you can do one more thing....you can create a deny statement in ur ACL, so your ACL will look like :-

                           

                          access-list MATCH-WEB-TRAFFFIC extended Deny tcp host 192.168.200.10 host 192.168.100.10 eq www

                          access-list MATCH-WEB-TRAFFFIC extended permit tcp host 192.168.200.10 any eq www

                           

                          Let me know if this works....cheers !!!

                          • 10. Re: ASA Inspection
                            ericleahy - CCNP, CCDP, CCNA SEC

                            Hi HMR,

                             

                            This is something I have put in place, the deny access list. This is a fix to the problem between inter DMZ traffic. But I do know our auditors will not be happy with this "fix".

                             

                            I was looking around for doing this type of traffic inspection a bit differently, and a lot of what I read was pointing to setting up a proxy server and direct all web traffic to the proxy and that can do the need inspection? I dont know if this is something you have done in the past? Be nice to get some input from the guys on here?

                             

                            Thanks HMR for you help on this

                             

                            Eric

                            • 11. Re: ASA Inspection
                              HMR

                              Your welcom Eric, hey can you tell me in detail what excatly do you want, I am still confused on your requirement, what i understand intially was this :-

                               

                              when you r going from IP 200.10 to internet to access Microsoft site ASA inspection engine was allowing it (not doing inspection) because of the class map & policy map where you have defined that if request is coming from IP 200.10 with the HTTP protocol in use containing request header *\.microsoft\.com.*" do not inspect it....right.

                               

                              in the same way what exactly do you want to have for the traffic from 200.10 destined to 100.10  & also what exact service on port 80 are you using on 100.10 from 200.10

                               

                              This info would be helpful & required to create more granular...MPF....thanks

                              • 12. Re: ASA Inspection
                                ericleahy - CCNP, CCDP, CCNA SEC

                                Hi HMR,

                                 

                                Sorry for the delay in replying back to you but I was caught up in other things in work and I also live in Ireland so St Patrick's Day got in the way too .

                                 

                                Right this is the setup, I have 1 WSUS server that needs to connect out onto the internet to get patch updates. Now this is the only host allowed onto the internet but is only allowed to reach the sites it needs to for its updates. After many days of testing we figured out that the WSUS host does not always got out to URLs to get it updates, it go's directly to a IP address over port 80. So the firewall was seen this traffic and was blocking the traffic because it did not hit any of the allowed inspection rules.

                                 

                                So the problem is how can we work around this? We also found out the IP address the WSUS server connects out to changes!

                                 

                                So we finally came up with the following work around, create a time based deny ACL and apply it at the top the inspection ACL. This rule would allow the WSUS host connect out onto the internet over port 80 to any IP address.

                                 

                                access-list MATCH-WEB-TRAFFFIC extended line 1 deny tcp host 192.168.200.10 any eq www time-range WSUS_UPDATE

                                 

                                It works for the auditors so Im happy with that but I would like to know if this could be done differently?

                                 

                                Thanks

                                Eric