Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
1
Replies

ASA 5515-X Inspection Engine

Kevin Martin
Level 1
Level 1

‎08-08-2013 10:43 AM - edited ‎03-11-2019 07:23 PM

I'm currently using the Inspection Engine to prevent most users from accessing .zip (and the like) files.  However, this also blocking some websites used during daily business.  I keep getting the following or similar syslog message:

%ASA-4-507003: tcp flow from Inside:X.X.X.X/62401 to External:X.X.X.X/80 terminated by inspection engine, reason - reset unconditionally.

Below is my config:

regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"

regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"

regex urllist3 ".*\.([Mm][Ss][Ii]) HTTP/1.[01]"

regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"

regex applicationheader "application/.*"

regex contenttype "Content-Type"

!

class-map type regex match-any URLBlockList

match regex urllist1

match regex urllist2

match regex urllist3

match regex urllist4

!

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

!

class-map type inspect http match-all BlockURLsClass

match request uri regex class URLBlockList

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockURLsClass

  reset log

!

policy-map Inside-policy

class Inside-class

  inspect http http_inspection_policy

Any Ideas?

***Please Mark and Rate helpful posts***
Labels:
0 Helpful
1 Reply 1

Robert Garrett
Cisco Employee
Cisco Employee

‎08-19-2013 07:13 AM 

The problem is not due to the urllists, but rather the regex applicationheader "application/.*"

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader

class AppHeaderClass
  drop-connection log

Due to this configuration, on the response, the ASA sees application/xxxxx from nearly all websites and drops the connection.

If this configuration is removed, the problem is no longer seen.

The urllists can also be modified to appropriately block download files by removing HTTP/1.[01] from the string and by placing a space at the end to specify a match at the end of the uri.

-Robert Garrett

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card