Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Enabling Advanced HTTP application inspection

Hi Everyone,

For testing purposes i enable Advanced HTTP application inspection on ASA  globally.

Here is the config

policy-map type inspect http http_inspect_map

parameters

protocol-violation action  drop-connection log

match not response header  content-type application/msword?????????????????????

drop-connection  log

Need to know what does statement with ??????????????? have effect on ASA??????????

Enabled it globally

policy-map  global_policy

class  inspection_default

inspect http http_inspect_

After doing this i can open first page of any website but after that no other page opens up  here are the logs

Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34378 for outside:173.194.33.34/443  (173.194.33.34/443) to DMZ:192.168.70.5/29735  (192.168.71.74/29735)

Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34379 for outside:173.194.33.43/80  (173.194.33.43/80) to DMZ:192.168.70.5/29736  (192.168.71.74/29736)

Jun 30 2013 20:22:27:  %ASA-6-302013: Built outbound TCP connection 34380 for outside:173.194.33.50/80  (173.194.33.50/80) to DMZ:192.168.70.5/29737  (192.168.71.74/29737)

Jun 30 2013 20:22:28:  %ASA-6-302013: Built outbound TCP connection 34381 for outside:173.194.33.50/80  (173.194.33.50/80) to DMZ:192.168.70.5/29738  (192.168.71.74/29738)

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.50:http://t2.gstatic.com/images?q=tbn:ANd9GcRylNXDAKorJERG8q6xKzFCVStYj3R5dqyCHsNoCu__abROPRFFXWFM6z5_y0B_Tm_Ox26cokA

Jun 30 2013 20:22:28:  %ASA-5-415008: HTTP - matched not response header content-type  application/msword in policy-map http_inspect_map, header matched - Dropping  connection from DMZ:192.168.70.5/29737 to outside:  173.194.33.50/80

Jun 30 2013 20:22:28:  %ASA-4-507003: tcp flow from DMZ:192.168.70.5/29737 to outside:173.194.33.50/80  terminated by inspection engine, reason - disconnected, dropped  packet.

Jun 30 2013 20:22:28:  %ASA-6-302014: Teardown TCP connection 34380 for outside:173.194.33.50/80 to  DMZ:192.168.70.5/29737 duration 0:00:00 bytes 382 Flow closed by  inspection

Jun 30 2013 20:22:28:  %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to  192.168.71.74/29737 flags PSH ACK  on interface  outside

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=7&gs_id=35&xhr=t&q=rediff.&es_nrs=true&pf=p&biw=1366&bih=622&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&tch=1&ech=7&psi=4efQUcL1GcPOiwL3wYAg.1372645345226...

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=4-fQUd3eMqrpiwL0nYCABQ&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4...  30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80  to 192.168.71.74/29737 flags PSH ACK  on interface  outside

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=8&gs_id=3j&xhr=t&q=rediff.c&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=8&psi=4efQUcL1GcPOiwL3wYAg.137264534522...

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=9&gs_id=3z&xhr=t&q=rediff.co&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=9&psi=4efQUcL1GcPOiwL3wYAg.13726453452...

Jun 30 2013 20:22:28:  %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=5OfQUYiCCqbAigKa9ICICg&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4...  30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL  173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=10&gs_id=4j&xhr=t&q=rediff.com&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=10&psi=4efQUcL1GcPOiwL3wYAg.13726453...

Jun 30 2013 20:22:28:  %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to  192.168.71.74/29737 flags ACK  on interface outside

Need to understand the Config in ReD  and logs matched in Red color?

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions

Enabling Advanced HTTP application inspection

Hello My friend,

policy-map type inspect http http_inspect_map

parameters

protocol-violation action  drop-connection log

match not response header  content-type application/msword?????????????????????

drop-connection  log

That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.

So in the case you see the drops is due to the fact the response does not contain that header,

Did you configure that just for test purposes or is that what you are looking for

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Enabling Advanced HTTP application inspection

Hello,

The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

Enabling Advanced HTTP application inspection

Hello My friend,

policy-map type inspect http http_inspect_map

parameters

protocol-violation action  drop-connection log

match not response header  content-type application/msword?????????????????????

drop-connection  log

That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.

So in the case you see the drops is due to the fact the response does not contain that header,

Did you configure that just for test purposes or is that what you are looking for

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Enabling Advanced HTTP application inspection

Hi Julio,

Just for testing purposes.

So when you say look for header msword does this mean when i open the website like say

www.google.com  it means that this url should have header msword other wise it will be dropped?

Regards

MAhesh

Enabling Advanced HTTP application inspection

Hello,

The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Enabling Advanced HTTP application inspection

Hi Julio,

Thanks for answering my question.

Yes  sir post is rated as usual.

Regards

Mahesh

Enabling Advanced HTTP application inspection

Great,

Have a great day Mahesh

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
620
Views
0
Helpful
5
Replies
CreatePlease to create content