Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inspecting http traffic on the ASA

The ASA default inspection policy includes a number of well-known applications and is applied globally on the system

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

Now http inspection is NOT enabled by default, so typically, what I have done, was to go into the class-inspection-default and add it:

class inspection_default

  inspect dns preset_dns_map

     inspect http

But I was reading through some Cisco documentation that indicates this may not work, or is not the way to do it. They recommend creating new class maps, policies, etc. Example:

hostname(config)#class-map http_traffic

hostname(config-cmap)#match port tcp eq 80

hostname(config)#policy-map http_traffic_policy

hostname(config-pmap)#class http_traffic

hostname(config-pmap-c)#inspect http

hostname(config)#service-policy http_traffic_policy global

So the question is, have I been doing this wrong? Will adding http inspection to the clsass inspection_default not work?

Everyone's tags (3)
Cisco Employee

Inspecting http traffic on the ASA

Hi Colin,

Which document was that? Basically when they say that it does not work correctly is because several sites out there (not a common problem with the ones hosted by Akamai) are using non RFC http parameters which result on the ASA dropping the packets and the end user not being able to open the web page.

Where did you see that document, is it a Cisco one? Can you share it?


New Member

Inspecting http traffic on the ASA

It was a Cisco document (I will try to find the link).

It said that http inspection is not enabled by default, but instead of instructing me to add it to the class inspection_default, it says to create a new class-map for http (see above).

It seemed like the implication here was that it wouldn't work within the inspection_default class, which makes no sense to me. Maybe I am just misreading it.

Have other people here added http to the class inspection_default?

Cisco Employee

Inspecting http traffic on the ASA

I work for TAC and by the customers that I have, I've never seen it. Been there for a while now