Enabling Advanced HTTP application inspection

Answered Question
Jun 30th, 2013
User Badges:

Hi Everyone,


For testing purposes i enable Advanced HTTP application inspection on ASA  globally.

Here is the config


policy-map type inspect http http_inspect_map



parameters


protocol-violation action  drop-connection log


match not response header  content-type application/msword?????????????????????


drop-connection  log



Need to know what does statement with ??????????????? have effect on ASA??????????


Enabled it globally


policy-map  global_policy


class  inspection_default


inspect http http_inspect_


After doing this i can open first page of any website but after that no other page opens up  here are the logs


Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34378 for outside:173.194.33.34/443  (173.194.33.34/443) to DMZ:192.168.70.5/29735  (192.168.71.74/29735)


Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34379 for outside:173.194.33.43/80  (173.194.33.43/80) to DMZ:192.168.70.5/29736  (192.168.71.74/29736)


Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34380 for outside:173.194.33.50/80  (173.194.33.50/80) to DMZ:192.168.70.5/29737  (192.168.71.74/29737)


Jun 30 2013 20:22:28:  %ASA-6-302013: Built outbound TCP connection 34381 for outside:173.194.33.50/80  (173.194.33.50/80) to DMZ:192.168.70.5/29738  (192.168.71.74/29738)


Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.50:http://t2.gstatic.com/images?q=tbn:ANd9GcRylNXDAKorJERG8q6xKzFCVStYj3R5dqyCHsNoCu__abROPRFFXWFM6z5_y0B_Tm_Ox26cokA


Jun 30 2013 20:22:28:  %ASA-5-415008: HTTP - matched not response header content-type  application/msword in policy-map http_inspect_map, header matched - Dropping  connection from DMZ:192.168.70.5/29737 to outside:  173.194.33.50/80



Jun 30 2013 20:22:28:  %ASA-4-507003: tcp flow from DMZ:192.168.70.5/29737 to outside:173.194.33.50/80  terminated by inspection engine, reason - disconnected, dropped  packet.



Jun 30 2013 20:22:28:  %ASA-6-302014: Teardown TCP connection 34380 for outside:173.194.33.50/80 to  DMZ:192.168.70.5/29737 duration 0:00:00 bytes 382 Flow closed by  inspection


Jun 30 2013 20:22:28:  %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to  192.168.71.74/29737 flags PSH ACK  on interface  outside


Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=7&gs_id=35&xhr=t&q=rediff.&es_nrs=true&pf=p&biw=1366&bih=622&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&tch=1&ech=7&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1


Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=4-fQUd3eMqrpiwL0nYCABQ&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4007158,4007173,4007230,4007244,4007408,4007445,4007533,4007566,4007661,4007668,4007745,4007762,4007763,4007779,4007798,4007804,4007874,4007886,4007892,4007917,4007927,4007942,4008028,4Jun  30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80  to 192.168.71.74/29737 flags PSH ACK  on interface  outside


Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=8&gs_id=3j&xhr=t&q=rediff.c&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=8&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1


Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=9&gs_id=3z&xhr=t&q=rediff.co&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=9&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1


Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=5OfQUYiCCqbAigKa9ICICg&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4007158,4007173,4007230,4007244,4007408,4007445,4007533,4007566,4007661,4007668,4007745,4007762,4007763,4007779,4007798,4007804,4007874,4007886,4007892,4007917,4007927,4007942,4008028,4Jun  30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=10&gs_id=4j&xhr=t&q=rediff.com&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=10&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1


Jun 30 2013 20:22:28:  %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to  192.168.71.74/29737 flags ACK  on interface outside


Need to understand the Config in ReD  and logs matched in Red color?


Regards


Mahesh

Correct Answer by Julio Carvajal about 4 years 1 month ago

Hello,


The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)



Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Correct Answer by Julio Carvajal about 4 years 1 month ago

Hello My friend,



policy-map type inspect http http_inspect_map



parameters


protocol-violation action  drop-connection log


match not response header  content-type application/msword?????????????????????


drop-connection  log


That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.


So in the case you see the drops is due to the fact the response does not contain that header,


Did you configure that just for test purposes or is that what you are looking for


Regards



Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Julio Carvajal Sun, 06/30/2013 - 22:09
User Badges:
  • Purple, 4500 points or more

Hello My friend,



policy-map type inspect http http_inspect_map



parameters


protocol-violation action  drop-connection log


match not response header  content-type application/msword?????????????????????


drop-connection  log


That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.


So in the case you see the drops is due to the fact the response does not contain that header,


Did you configure that just for test purposes or is that what you are looking for


Regards



Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

mahesh18 Sun, 06/30/2013 - 22:13
User Badges:

Hi Julio,


Just for testing purposes.

So when you say look for header msword does this mean when i open the website like say


www.google.com  it means that this url should have header msword other wise it will be dropped?


Regards


MAhesh

Correct Answer
Julio Carvajal Sun, 06/30/2013 - 22:16
User Badges:
  • Purple, 4500 points or more

Hello,


The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)



Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

mahesh18 Sun, 06/30/2013 - 22:21
User Badges:

Hi Julio,


Thanks for answering my question.

Yes  sir post is rated as usual.


Regards

Mahesh

Julio Carvajal Sun, 06/30/2013 - 22:24
User Badges:
  • Purple, 4500 points or more

Great,


Have a great day Mahesh


Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Actions

This Discussion