×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5515-X Inspection Engine

Unanswered Question
Aug 8th, 2013
User Badges:

I'm currently using the Inspection Engine to prevent most users from accessing .zip (and the like) files.  However, this also blocking some websites used during daily business.  I keep getting the following or similar syslog message:


%ASA-4-507003: tcp flow from Inside:X.X.X.X/62401 to External:X.X.X.X/80 terminated by inspection engine, reason - reset unconditionally.


Below is my config:


regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"

regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"

regex urllist3 ".*\.([Mm][Ss][Ii]) HTTP/1.[01]"

regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"

regex applicationheader "application/.*"

regex contenttype "Content-Type"

!

class-map type regex match-any URLBlockList

match regex urllist1

match regex urllist2

match regex urllist3

match regex urllist4

!

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

!

class-map type inspect http match-all BlockURLsClass

match request uri regex class URLBlockList

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockURLsClass

  reset log

!

policy-map Inside-policy

class Inside-class

  inspect http http_inspection_policy



Any Ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert Garrett Mon, 08/19/2013 - 07:13
User Badges:
  • Cisco Employee,
The problem is not due to the urllists, but rather the regex applicationheader "application/.*"

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader

class AppHeaderClass
  drop-connection log

Due to this configuration, on the response, the ASA sees application/xxxxx from nearly all websites and drops the connection.

If this configuration is removed, the problem is no longer seen.

The urllists can also be modified to appropriately block download files by removing HTTP/1.[01] from the string and by placing a space at the end to specify a match at the end of the uri.


-Robert Garrett

Actions

This Discussion

Related Content