cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
4
Replies

don't understand application inspection...

snickered
Level 1
Level 1

I can't make sense of this. Here's what I have:

policy-map type inspect http test-http-inspect-map

parameters

protocol-violation action drop-connection

class-map global-class

match any

policy-map global-policy

class global-class

inspect http test-http-inspect-map

service-policy global-policy global

I'm trying to access a webserver on the "dmz" network (security-level 50) from the "outside" network (security-level 100). I can't do so until I apply an access-list. So, I allow traffic on dst port 80 from from the outside. But at that point it seems the application inspection doesn't work. To test this I telnet to port 80 from the outside host to the internal webserver and issued "post blah". I'm able to see "post blah" in a capture on the internal webserver. So, how do I properly apply application inspection and what is a good way to test it? TIA.

1 Accepted Solution

Accepted Solutions

What protocol is port 188 using? We cannot build inspects based on protocols we don't know.

So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.

Of course for .exe etc files there are ips that can look into regex strings in the packets.

I hope it helps.

PK

View solution in original post

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

The ACL indeed needs to permit the traffic, regardless of whether you do inspection or not.

So after you permit tcp-80 in the ACL, access to your webserver works. In what sense does the inspection not work? I.e. what do you expect it to do that it is not doing?

BTW "match any" is a bad idea, you will send *all* traffic through the http inspection. Better use "match port tcp eq 80" or "match default-inspection" (which allows you to specify multiple inspections in the policy and each one will receive only traffic destined to its default port).

I actually got this working. I was able to test using netcat. It effectively dropped the tunnel I opened on port 80 trying to send cmd.exe through it.

Now I have another question. When I explicitly open a port for an application there is no "inspect" for is there a way to build an "inspect"? For instance, let's say I use all the default inspections on the default ports. Now, let's say I open tcp 188 for an internal application. I'd like to know that someone didn't find that port and start tunneling cmd.exe. How do people combat against this scenario?

What protocol is port 188 using? We cannot build inspects based on protocols we don't know.

So if it one of the well known protocols then you can use the pre-defined inspections. If not thee is not much of inspecting you can do on the ASA except regular tcp inspection.

Of course for .exe etc files there are ips that can look into regex strings in the packets.

I hope it helps.

PK

I was thinking more along of the lines of an internal application that uses something proprietary. I'm confused about MPF now... I'll start a new thread. Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: