I have a scenario I'm trying to debug and I'm hoping if I describe it it will jump out at someone who is more knowledgeable than me.
Basically, I'm using WCCP on the ASA Firewall to redirect local requests to a squid box which then passes them across to data-center.
If my HTTP request uses the full hostname it all works fine, if I use http://$ip_address it also works fine.
However, if I use a short-hostname I seem to be falling foul of something which I believe is the ASA Firewall chewing up the requests. I *know* that the client machine can resolve the short-name and can resolve it correctly. I know this because I can telnet to port 80 on the web-server and the connection initiates fine.
However, when I send a HTTP request with a short "Host" header it gets dropped before it reaches the local squid box. I know this because I'm tcpdumping on the squid box and it isn't getting there.
If I actually RDP into the data-center and issue a HTTP request with the same short hostname in the HTTP "Host" header I can see it works fine so it isn't a case of the web-server dropping it.
So basically my theory is that the ASA Firewall is looking into the HTTP request and trying to check that HTTP host header is ok and somehow deciding that it is not in the short case.
Does ASA Firewall have a feature where it looks at the host header in a HTTP request and if it is not resolvable it drops the packet? If so what would the Cisco configuration look like? I don't have direct access to the ASA firewall myself so it is quite hard to debug by proxy.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...