Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Default HTTP inspection

I have enabled default http inspection in a ASA Firewall

inspect http

Is it doing anything? or does it need an inspection map?

It inspects packets but doesn't drop anything

Result of the command: "sh service-poli global inspect http"

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http, packet 729530, drop 0, reset-drop 0

I have tested with very large URL and strange caracters or telnet to port 80 ... But the drop count is 0

Any help to see one drop?

Thanks

4 REPLIES

Re: ASA Default HTTP inspection

Hi,

The default HTTP inspection protects against specific attacks or threats against HTTP traffic.

If you would like to customize the inspection for additional control you would have to create a Layer 7 Policy Map for HTTP.

Federico.

New Member

Re: ASA Default HTTP inspection

OK, but how can I test it is working?

I can't see any drop yet, with sh service-policy inspect http

It seems to do nothing

New Member

Re: ASA Default HTTP inspection

OK, I have to enable an Inspect-map, then there are packet drops. Like this:

policy-map type inspect http HTTP_Secure
parameters
  protocol-violation action drop-connection

policy-map global_policy
class inspection_default

   inspect http HTTP_Secure

   ....

service-policy global_policy global

But, now I have packets drops in websites that I need to allow. How can I allow some websites that they don't pass the protocol-violation test?

Any help?

Re: ASA Default HTTP inspection

You can use regex to block traffic for only some URLs (or not block some URLs).

Please take a look:

https://supportforums.cisco.com/docs/DOC-1268

Federico.

5103
Views
3
Helpful
4
Replies
CreatePlease login to create content