10-26-2009 05:40 PM - edited 03-11-2019 09:31 AM
I can't make sense of this. Here's what I have:
policy-map type inspect http test-http-inspect-map
parameters
protocol-violation action drop-connection
class-map global-class
match any
policy-map global-policy
class global-class
inspect http test-http-inspect-map
service-policy global-policy global
I'm trying to access a webserver on the "dmz" network (security-level 50) from the "outside" network (security-level 100). I can't do so until I apply an access-list. So, I allow traffic on dst port 80 from from the outside. But at that point it seems the application inspection doesn't work. To test this I telnet to port 80 from the outside host to the internal webserver and issued "post blah". I'm able to see "post blah" in a capture on the internal webserver. So, how do I properly apply application inspection and what is a good way to test it? TIA.
Solved! Go to Solution.
10-28-2009 03:32 PM
What protocol is port 188 using? We cannot build inspects based on protocols we don't know.
So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.
Of course for .exe etc files there are ips that can look into regex strings in the packets.
I hope it helps.
PK
10-28-2009 01:35 PM
The ACL indeed needs to permit the traffic, regardless of whether you do inspection or not.
So after you permit tcp-80 in the ACL, access to your webserver works. In what sense does the inspection not work? I.e. what do you expect it to do that it is not doing?
BTW "match any" is a bad idea, you will send *all* traffic through the http inspection. Better use "match port tcp eq 80" or "match default-inspection" (which allows you to specify multiple inspections in the policy and each one will receive only traffic destined to its default port).
10-28-2009 02:43 PM
I actually got this working. I was able to test using netcat. It effectively dropped the tunnel I opened on port 80 trying to send cmd.exe through it.
Now I have another question. When I explicitly open a port for an application there is no "inspect" for is there a way to build an "inspect"? For instance, let's say I use all the default inspections on the default ports. Now, let's say I open tcp 188 for an internal application. I'd like to know that someone didn't find that port and start tunneling cmd.exe. How do people combat against this scenario?
10-28-2009 03:32 PM
What protocol is port 188 using? We cannot build inspects based on protocols we don't know.
So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.
Of course for .exe etc files there are ips that can look into regex strings in the packets.
I hope it helps.
PK
10-28-2009 04:10 PM
I was thinking more along of the lines of an internal application that uses something proprietary. I'm confused about MPF now... I'll start a new thread. Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide