Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

don't understand application inspection...

I can't make sense of this. Here's what I have:

policy-map type inspect http test-http-inspect-map

parameters

protocol-violation action drop-connection

class-map global-class

match any

policy-map global-policy

class global-class

inspect http test-http-inspect-map

service-policy global-policy global

I'm trying to access a webserver on the "dmz" network (security-level 50) from the "outside" network (security-level 100). I can't do so until I apply an access-list. So, I allow traffic on dst port 80 from from the outside. But at that point it seems the application inspection doesn't work. To test this I telnet to port 80 from the outside host to the internal webserver and issued "post blah". I'm able to see "post blah" in a capture on the internal webserver. So, how do I properly apply application inspection and what is a good way to test it? TIA.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: don't understand application inspection...

What protocol is port 188 using? We cannot build inspects based on protocols we don't know.

So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.

Of course for .exe etc files there are ips that can look into regex strings in the packets.

I hope it helps.

PK

4 REPLIES
Cisco Employee

Re: don't understand application inspection...

The ACL indeed needs to permit the traffic, regardless of whether you do inspection or not.

So after you permit tcp-80 in the ACL, access to your webserver works. In what sense does the inspection not work? I.e. what do you expect it to do that it is not doing?

BTW "match any" is a bad idea, you will send *all* traffic through the http inspection. Better use "match port tcp eq 80" or "match default-inspection" (which allows you to specify multiple inspections in the policy and each one will receive only traffic destined to its default port).

Community Member

Re: don't understand application inspection...

I actually got this working. I was able to test using netcat. It effectively dropped the tunnel I opened on port 80 trying to send cmd.exe through it.

Now I have another question. When I explicitly open a port for an application there is no "inspect" for is there a way to build an "inspect"? For instance, let's say I use all the default inspections on the default ports. Now, let's say I open tcp 188 for an internal application. I'd like to know that someone didn't find that port and start tunneling cmd.exe. How do people combat against this scenario?

Cisco Employee

Re: don't understand application inspection...

What protocol is port 188 using? We cannot build inspects based on protocols we don't know.

So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.

Of course for .exe etc files there are ips that can look into regex strings in the packets.

I hope it helps.

PK

Community Member

Re: don't understand application inspection...

I was thinking more along of the lines of an internal application that uses something proprietary. I'm confused about MPF now... I'll start a new thread. Thanks for your help.

150
Views
0
Helpful
4
Replies
CreatePlease to create content