Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5515-X Inspection Engine

I'm currently using the Inspection Engine to prevent most users from accessing .zip (and the like) files.  However, this also blocking some websites used during daily business.  I keep getting the following or similar syslog message:

%ASA-4-507003: tcp flow from Inside:X.X.X.X/62401 to External:X.X.X.X/80 terminated by inspection engine, reason - reset unconditionally.

Below is my config:

regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"

regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"

regex urllist3 ".*\.([Mm][Ss][Ii]) HTTP/1.[01]"

regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"

regex applicationheader "application/.*"

regex contenttype "Content-Type"

!

class-map type regex match-any URLBlockList

match regex urllist1

match regex urllist2

match regex urllist3

match regex urllist4

!

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

!

class-map type inspect http match-all BlockURLsClass

match request uri regex class URLBlockList

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockURLsClass

  reset log

!

policy-map Inside-policy

class Inside-class

  inspect http http_inspection_policy

Any Ideas?

Everyone's tags (1)
1 REPLY
Cisco Employee

ASA 5515-X Inspection Engine

The problem is not due to the urllists, but rather the regex applicationheader "application/.*"

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader

class AppHeaderClass
  drop-connection log

Due to this configuration, on the response, the ASA sees application/xxxxx from nearly all websites and drops the connection.

If this configuration is removed, the problem is no longer seen.

The urllists can also be modified to appropriately block download files by removing HTTP/1.[01] from the string and by placing a space at the end to specify a match at the end of the uri.

-Robert Garrett

723
Views
0
Helpful
1
Replies
CreatePlease to create content