Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
3
Replies

pix/asa 7.2: confusion about "http-map" and "policy map type inspect http"

oxys
Level 1
Level 1

‎10-26-2006 08:59 AM - edited ‎02-21-2020 01:16 AM

With Pix/ASA OS 7.1 to configure http inspection the configuration guide shows expamples like the following:

access-list HTTP_PORTS extended permit tcp any any range 80 81

!

class-map http-ports

match access-list HTTP_PORTS

exit

!

http-map maphttp

max-uri-length 256 action reset log

port-misuse default action drop log

request-method rfc default action reset log

request-method rfc get action allow

request-method rfc post action allow

request-method rfc head action allow

strict-http action allow log

exit

!

policy-map global_policy

...

class http-ports

inspect http maphttp

exit

exit

All packets matched by class "http-port" are inspected using configuration defined in http-map "maphttp".

In OS 7.2 configuration guide the examples showing http inspect configuration are quite different. It seems that in OS 7.2 the "http-map" has been substituted by a mix of "class map type inspect http" and "policy map type inspect http" commands.

So an example of http inspection configuration with OS 7.2 is:

class-map type inspect http HTTP_METHOD_CLASS

match not request method get

match not request method post

match not request method head

exit

!

policy-map type inspect http HTTP_OUT_INSPECT

match request uri length gt 256

reset log

exit

class HTTP_METHOD_CLASS

reset log

exit

parameters

protocol-violation action reset log

exit

exit

!

policy-map global_policy

....

class http-ports

inspect http HTTP_OUT_INSPECT

exit

exit

The first question is: is it true? Is "http-map" deprecated or outdated in OS 7.2? I couldn't find clear documentation about it.

Actually is still possible configure a PIX/ASA with OS 7.2 using "http-map", the command is still there and is still described in the 7.2 command reference documentation (but not in the configuration guide).

I believe that the "http-map" configuration and the "class-map/policy-map type inspect http" configuration are quite different. Using "http-map" we can configure the "port-misuse" command and the strict-http command too, which are not available in "class-map/policy-map type inspect http" configuration "style". Moreover with "policy-map type inspect http" only we can configure the mysterious "protocol-violation" parameter.

I called protocol-violation "mysterious" because if you look for it in the command reference you can find that it is related to netbios protocol inspection, not http... So the second question is: is there anybody who can exactly explain what the "protocol-violation" command does in the http inspection context?

The two configuration styles seems both available in OS 7.2 but I can't understand how they can be mixed (if they can), which should be used and why it seems there are two ways to configure quite the same thing (not exactly the same: "port-misuse" is used to detect tunneling protocols in http and I don't know how to do it using the 7.2 configuration style).

The third (and last) question is: is there anybody who can clearly explain the difference between the http inspection configuration methods (if there is any) and which will be valid in the future?

I hope I could explain my doubts clearly.

Thanks.

0 Helpful
3 Replies 3

rmt777666
Level 1
Level 1

‎10-31-2006 06:53 PM

Sorry to say I can't be of help,

but if it's any consulation, I too have noted and pondered about the introduction of the "class-map type inspect" and the "policy-map type inspect" commands. However I have this feeling that I don't grapst their full significance nor exactly understand how they improve upon the previous method.

At least for me, Cisco documentation seems rather sparse for such an abrupt change in syntax and ....capabilities?

And for those of you who think this is insigificant, let me point out that Cisco was rather late to the firewall deep-packet inspection party. However once there, they've jumped into it in a big way. So when a change is made in this regard... it's likely worth taking the time to understand.

How about it Cisco...could you please issue some white papers or something to clarify this.

0 Helpful

oxys
Level 1
Level 1
In response to rmt777666

‎11-01-2006 12:53 AM

Thanks for your reply, you make me feel not alone with my doubts.

I opened a TAC request (id 604679873) to ask about the new "class-map/policy-map type inspect" command. The case is still opened because I still had not received a full and clear explanation.

A Cisco engineer told me clearly that the "http-map" command is deprecated in 7.2 and from now on we should use the "class-map/policy-map type inspect" commands (but why Cisco didn't tell this clearly and in every release notes document?). These newer commands are more powerful (or so they could appear) but are really bad explained in documentation. The Cisco engineer posted me an example configuration to stop instant messaging tunnels over http with 7.2:

policy-map type inspect http DenyIM_HTTP

description Deny IM over HTTP

parameters

match request uri regex _default_aim-messenger

drop-connection log

match request uri regex _default_msn-messenger

drop-connection log

match request uri regex _default_windows-media-player-tunnel

drop-connection log

match request uri regex _default_yahoo-messenger

drop-connection log

I believe this example is very interesting, but it points out that there are a lot of commands that are not described at all in documentation.

I tried to enter this commands and I found that the PIX accepted them! So actually there are a lot of embedded "_default_*" regular expressions to be used in http deep inspection but nothing is written about them in documentation!

Now I think that the 7.2 documentation and references are only a copy, with little changes, of the previous release documents; it's not updated and we should not take care of it because may be really wrong (and a number of months are passed since OS 7.2 has been released...).

We all should complain about this lacks in documentation sending e-mails, talking about it in forum like this or opening a lot of TAC requests. I work with Cisco routers, switch and other appliances since 1995 and since now I could not expect a situation like this from Cisco. I'm very disappointed.

I hope that someone from Cisco read this messages and answer posting a correct and complete documentation with a lot of examples.

0 Helpful

sebastan_bach
Level 4
Level 4
In response to oxys

‎11-01-2006 09:00 AM

hi thanks a lot for ur detailed observation of the differences of teh http-map in different code. my friend is preparing for the new ccie security track and puzzled since in the new code right from 7.0,7.1 and 7.2 they are papidly changes commands in the ios. and for the lab they have only mentiioned they will be 7.x code not the specific one . if onw should prepare for it he should be well versed with the ios that is going ot be tested or the one which is more stable.

abt the regular expression atleast they should mention a configuration example or the task we can do with it.

waiting for cisco to clear the thin air of confusion.

regards

sebastan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card