policy-map type inspect http test-http-inspect-map
protocol-violation action drop-connection
inspect http test-http-inspect-map
service-policy global-policy global
I'm trying to access a webserver on the "dmz" network (security-level 50) from the "outside" network (security-level 100). I can't do so until I apply an access-list. So, I allow traffic on dst port 80 from from the outside. But at that point it seems the application inspection doesn't work. To test this I telnet to port 80 from the outside host to the internal webserver and issued "post blah". I'm able to see "post blah" in a capture on the internal webserver. So, how do I properly apply application inspection and what is a good way to test it? TIA.
The ACL indeed needs to permit the traffic, regardless of whether you do inspection or not.
So after you permit tcp-80 in the ACL, access to your webserver works. In what sense does the inspection not work? I.e. what do you expect it to do that it is not doing?
BTW "match any" is a bad idea, you will send *all* traffic through the http inspection. Better use "match port tcp eq 80" or "match default-inspection" (which allows you to specify multiple inspections in the policy and each one will receive only traffic destined to its default port).
I actually got this working. I was able to test using netcat. It effectively dropped the tunnel I opened on port 80 trying to send cmd.exe through it.
Now I have another question. When I explicitly open a port for an application there is no "inspect" for is there a way to build an "inspect"? For instance, let's say I use all the default inspections on the default ports. Now, let's say I open tcp 188 for an internal application. I'd like to know that someone didn't find that port and start tunneling cmd.exe. How do people combat against this scenario?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...