cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4838
Views
3
Helpful
30
Replies

Long URL not allowed by ASA

Hi All,

I am trying to download a file, but I get redirected to a very long URL and I'm wondering if this could be the reason why the ASA is dropping the connection.

If I try to download the file without going through the ASA, it works fine.

The problem is that the url is an https connection, and I don't seem to get an error when I do a Packet Tracer the connection goes fine, but I cannot test the Packet Tracer connection up to the final URL. Same happens with the ASP drop, I don't see the message that tells me why the connection is being blocked.

There is so much traffic that I cannot filter the logs to see what's going on.

I tried a capture but since its HTTPS I don't see any reason.

My question is:

Is it possible that since the URL is too big, the ASA might be blocking it?

I've tried incrementing the size of the DNS replies and the body of the HTTP inspection and that did not help.

Please let me know your comments or suggestions.

Thank you,

Federico.

30 Replies 30

Kureli Sankar
Cisco Employee
Cisco Employee

Refer this link below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Enable Filtering of Long URLs

By default, the security appliance considers an HTTP URL to be a long       URL if it is greater than 1159 characters. You can increase the maximum length       allowed for a single URL with this command:

hostname(config)#url-block url-size long-url-size

Replace long-url-size with the maximum       size in KB for each long URL to be buffered.

For example, these commands configure the security appliance for       advanced URL filtering:

hostname(config)#url-block block 10
hostname(config)#url-block url-mempool 2
hostname(config)#url-cache dst 100
hostname(config)#url-block url-size 2


-KS

Thank you, but this option is only when you have an URL server.

ASA(config)# url-block url-size 4
No url servers found!  Use "url-server" first.

We are not using an URL Server like Websense, its just an HTTPS connection going from the inside to the outside of the ASA.    

Any suggestions?

Thank you!

Federico.

The symptom was so clearly an URL-filtering issue that I assumed you had websense configured

Anyway, back to the issue. Can't say much without captures on the client or ingress egress captures on the ASA for this particular flow.

It may be a good idea to reduce the MTU on the outside interface and see if you can load this page.

-KS

Hi KS,

Totally agree with you, but in the meantime while I figure out how to get the right logs or captures, do you know if the fact of sending a very long URL could be stopped by the ASA?

I mean by the inspection http?

I will try to get the errors, but I'm wondering if part of the implicit http inspection of the ASA drops URLs that are too long?

Thank you.

Federico.

You mentioned this is htts. right? inspection wouldn't be able to read within the packet. Inspection would only watch port 80 and not 443.

-KS

Hi KS,

This is what I did:

Host: 172.16.10.34 (host attempting the https connection)

Host: 201.198.233.90 (translated IP for the inside host)

Server: 192.150.14.76 (Server hosting the URL)

The host resides on the inside interface and exist the ASA through the SHDSL interface

#######################################################################

access-list https_out permit ip host 172.16.10.34 host 192.150.14.76
access-list https_out permit ip host 192.150.14.76 host 172.16.10.34
capture https_out access-list https_out packet-length 1512 interface inside

access-list https_in permit ip host 201.198.233.90 host 192.150.14.76
access-list https_in permit ip host 192.150.14.76 host 201.198.233.90
capture https_in access-list https_in packet-length 1512 interface SHDSL

#######################################################################

Then, I got the pcap files (attached to the threat).

These captures I got them while host 172.16.10.34 was trying the https connection that fails through the ASA.

pcap1 = Capture on the inside interface

pcap2 = Capture on the SHDSL (outside) interface

Please let me know.

Sincerely,

Federico.

Excellent. I am looking at them now. I will let you know shortly.

-KS

Ok I looked at two flows.

It appears that the inside host is looking for data from the server and waits for 60 seconds. Since it didn't hear from the server the inside client sends a reset which is relayed to the host on the outside.

The captures looks exactly the same on the outside

I am not sure why there is no data from the outside host for that long.

Try to loginto other https sites like a banking site and see if https works through this firewall and only this particular site has the issue.

-KS

Hi KS,

Every other https site through the ASA seemed to work fine.

I am attaching both captures on a particular working https connection.

pcap3 = inside interface

pcap4 = SHDSL interface

So, I don't understand why the first https site does not work through the ASA since it works fine without going through the ASA!

Please let me know.

Regards,

Federico

Do you have the config from the old ASA?

sh run sysopt

compare that output from the old to the new.

Seems like this is adobe site.

If you put a PC on the outside of this ASA and it loads fine you say. If so can you try to translate the IP address of this one PC to the IP address that you used outside of the ASA (static nat) and see if that would work?

Did you have anyconnect configured on the old ASA? This ASA does.

-KS

Hi KS,

There's nothing on the output of the command on the ASA:

ASA(config)# sh run sysopt
ASA(config)#

There are many internal machines that should be able to access this site, so I can't statically NAT them all.

I understand that I can do a STATIC NAT for the inside machine to the outside IP of the ASA to see if it works this way. My concern is that I have many VPN tunnels terminating on the ASA.

Is this going to stop the VPN traffic from working if I do a one-to-one STATIC NAT?

What do you suggest?

Thank you.

Federico.

Pls. do not do static nat for the inside host to the outside interface IP.

You should not do this. This will break traffic.

What I said was translate the IP address of this inside host to SOME OTHER IP address besides the one that it is using now just for testing purpose to see if it works since you are running anyconnect on the same IP address. Let me know the result.

If it works then we can translate all the inside hosts to look like this working address (a new nat/global). You have availalbe IP addresses right? You used one of those to test with a PC on the outside of the firewall right? Use that IP.

-KS

Thank you KS,

I know this question is not related to the problem, but I'm trying to fix it....

Everybody gets PATed to the IP address of the interface on the ASA, like this:

nat (inside) 1 access-list NAT
access-list NAT permit ip 172.16.10.0 255.255.255.0 any
global (SHDSL) 1 interface

So, I did the following commands to let my PC (172.16.10.34) get translated to an available IP, like this:

nat (inside) 5 access-list NAT123
access-list NAT123 permit ip host 172.16.10.34 any
global (SHDSL) 5 201.198.233.91

But even though I clear the xlates, connections and local-hots, I still get out using the IP 201.198.233.90 (which is the ASA's interface IP).

So, it seems to me, that even by adding the NAT rule to translate my own IP to a different one, it continues to translate to the ASA's interface IP. \

I though that since the ACL NAT123 is more specific than the ACL NAT, it will take precedence, but it does not. Is this because the first NAT has an ID of 1 and the one that I added has an ID of 5???   Is because I don't want to change the NAT 1 statement for everybody....

Thank you,

Federico.

Policy nat - first one matches your soruce, it will take that.

Pls. make this change

nat (inside) 5 172.16.10.34
global (SHDSL) 5 201.198.233.91

clear local 172.16.10.34

sh xlate debug | i 172.16.10.34

and it will take the new ip.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: