Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix/asa 7.2: confusion about "http-map" and "policy map type inspect http"

With Pix/ASA OS 7.1 to configure http inspection the configuration guide shows expamples like the following:

access-list HTTP_PORTS extended permit tcp any any range 80 81

!

class-map http-ports

match access-list HTTP_PORTS

exit

!

http-map maphttp

max-uri-length 256 action reset log

port-misuse default action drop log

request-method rfc default action reset log

request-method rfc get action allow

request-method rfc post action allow

request-method rfc head action allow

strict-http action allow log

exit

!

policy-map global_policy

...

class http-ports

inspect http maphttp

exit

exit

All packets matched by class "http-port" are inspected using configuration defined in http-map "maphttp".

In OS 7.2 configuration guide the examples showing http inspect configuration are quite different. It seems that in OS 7.2 the "http-map" has been substituted by a mix of "class map type inspect http" and "policy map type inspect http" commands.

So an example of http inspection configuration with OS 7.2 is:

class-map type inspect http HTTP_METHOD_CLASS

match not request method get

match not request method post

match not request method head

exit

!

policy-map type inspect http HTTP_OUT_INSPECT

match request uri length gt 256

reset log

exit

class HTTP_METHOD_CLASS

reset log

exit

parameters

protocol-violation action reset log

exit

exit

!

policy-map global_policy

....

class http-ports

inspect http HTTP_OUT_INSPECT

exit

exit

The first question is: is it true? Is "http-map" deprecated or outdated in OS 7.2? I couldn't find clear documentation about it.

Actually is still possible configure a PIX/ASA with OS 7.2 using "http-map", the command is still there and is still described in the 7.2 command reference documentation (but not in the configuration guide).

I believe that the "http-map" configuration and the "class-map/policy-map type inspect http" configuration are quite different. Using "http-map" we can configure the "port-misuse" command and the strict-http command too, which are not available in "class-map/policy-map type inspect http" configuration "style". Moreover with "policy-map type inspect http" only we can configure the mysterious "protocol-violation" parameter.

I called protocol-violation "mysterious" because if you look for it in the command reference you can find that it is related to netbios protocol inspection, not http... So the second question is: is there anybody who can exactly explain what the "protocol-violation" command does in the http inspection context?

The two configuration styles seems both available in OS 7.2 but I can't understand how they can be mixed (if they can), which should be used and why it seems there are two ways to configure quite the same thing (not exactly the same: "port-misuse" is used to detect tunneling protocols in http and I don't know how to do it using the 7.2 configuration style).

The third (and last) question is: is there anybody who can clearly explain the difference between the http inspection configuration methods (if there is any) and which will be valid in the future?

I hope I could explain my doubts clearly.

Thanks.

3 REPLIES
New Member

Re: pix/asa 7.2: confusion about "http-map" and "policy map type

Sorry to say I can't be of help,

but if it's any consulation, I too have noted and pondered about the introduction of the "class-map type inspect" and the "policy-map type inspect" commands. However I have this feeling that I don't grapst their full significance nor exactly understand how they improve upon the previous method.

At least for me, Cisco documentation seems rather sparse for such an abrupt change in syntax and ....capabilities?

And for those of you who think this is insigificant, let me point out that Cisco was rather late to the firewall deep-packet inspection party. However once there, they've jumped into it in a big way. So when a change is made in this regard... it's likely worth taking the time to understand.

How about it Cisco...could you please issue some white papers or something to clarify this.

New Member

Re: pix/asa 7.2: confusion about "http-map" and "policy map type

Thanks for your reply, you make me feel not alone with my doubts.

I opened a TAC request (id 604679873) to ask about the new "class-map/policy-map type inspect" command. The case is still opened because I still had not received a full and clear explanation.

A Cisco engineer told me clearly that the "http-map" command is deprecated in 7.2 and from now on we should use the "class-map/policy-map type inspect" commands (but why Cisco didn't tell this clearly and in every release notes document?). These newer commands are more powerful (or so they could appear) but are really bad explained in documentation. The Cisco engineer posted me an example configuration to stop instant messaging tunnels over http with 7.2:

policy-map type inspect http DenyIM_HTTP

description Deny IM over HTTP

parameters

match request uri regex _default_aim-messenger

drop-connection log

match request uri regex _default_msn-messenger

drop-connection log

match request uri regex _default_windows-media-player-tunnel

drop-connection log

match request uri regex _default_yahoo-messenger

drop-connection log

I believe this example is very interesting, but it points out that there are a lot of commands that are not described at all in documentation.

I tried to enter this commands and I found that the PIX accepted them! So actually there are a lot of embedded "_default_*" regular expressions to be used in http deep inspection but nothing is written about them in documentation!

Now I think that the 7.2 documentation and references are only a copy, with little changes, of the previous release documents; it's not updated and we should not take care of it because may be really wrong (and a number of months are passed since OS 7.2 has been released...).

We all should complain about this lacks in documentation sending e-mails, talking about it in forum like this or opening a lot of TAC requests. I work with Cisco routers, switch and other appliances since 1995 and since now I could not expect a situation like this from Cisco. I'm very disappointed.

I hope that someone from Cisco read this messages and answer posting a correct and complete documentation with a lot of examples.

New Member

Re: pix/asa 7.2: confusion about "http-map" and "policy map type

hi thanks a lot for ur detailed observation of the differences of teh http-map in different code. my friend is preparing for the new ccie security track and puzzled since in the new code right from 7.0,7.1 and 7.2 they are papidly changes commands in the ios. and for the lab they have only mentiioned they will be 7.x code not the specific one . if onw should prepare for it he should be well versed with the ios that is going ot be tested or the one which is more stable.

abt the regular expression atleast they should mention a configuration example or the task we can do with it.

waiting for cisco to clear the thin air of confusion.

regards

sebastan

326
Views
0
Helpful
3
Replies