"match not request" in MPF configuration

sureshkrishnan · ‎12-28-2009

Hi,

One of my clients needs to allow only their cache servers to access their webservers on port 80. No one else should be able to access these servers from outside. We cannot filter using source IP because, we do not have the list of all cache servers.

So, we have to filter the traffic based on a "header: value" pair available in the HTTP Request Header. Any HTTP request coming from the cache servers will have "testcache: ourcacheserver" as a pair in the HTTP request header. I would like to look for any http request header that does not have this pair and reset that connection. So, only the HTTP connections from cache servers will be successful.

I am using the MPF configuration shown below to implement this. But, there seems to be something wrong in my logic. The "match not request header regex cheader regex class Cache-Request" command does not seem to be working according to my understanding.

I was thinking that "match not request header regex cheader regex class Cache-Request" would match everything but the traffic coming from cache servers.

Please let me know if my understanding of the "match not request header" command is wrong. Or, let me know if there is any other logic I could use to address the requirement.

Regards,

Suresh

*********************************

regex cheader “testcache”

regex cvalue “ourcacheserver”

Class-map type regex match-any Cache-Request

match regex cvalue

class-map type inspect http match-all Non-Cache-Traffic

match not request header regex cheader regex class Cache-Request

policy-map type inspect http Non-Cache-Pmap

class Non-Cache-Traffic

reset log

access-list 11server-httptraffic extended permit tcp any 1.1.1.1 eq www

class-map 11server-cmap

match access-list 11server-httptraffic

policy-map outside_policy

class 11server-cmap

inspect http Non-Cache-Pmap

service-policy outside_policy interface outside

Panos Kampanakis · ‎12-28-2009

You logic is tirht, it will match and reset all but the traffic in the match.

I think you haven't identified what you want to block properly though.

You are resetting everything that does not match both reges at the same time. One reges is in a class and the other in a regex "match not request header regex cheader regex class Cache-Request"

Are these HTTP GETs, are you talking about the host or the URI field? I think that is what you have misconfigured.

Please look at example https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls that I believe has exactly what you want to do.

I hope it helps.

PK

sureshkrishnan · ‎12-28-2009

Hi PK,

The new "header: value" pair will be in the HTTP request header. We have customized the cache server on the Internet to send this custom "header: value" pair in the request to the web server. For example, one of the http requests from the cache server to the web server should look like the following.

*******

host: webserver.com\r\n

testcache: ourcacheserver\r\n

*******

I want ASA to look for this string and allow the connection. If the string is not present, drop the connection.

I am thinking the command "match not request header regex cheader regex class Cache-Request" should translate to "match not request header testcache ourcacheserver"

Regards,

Suresh

Panos Kampanakis · ‎12-29-2009

Suresh,

From what you are descibing the logic and the setup are fine.

Please open a TAC for troubleshooting but your configuration is right. They will need a capture of your HTTP request.

Regards,

PK