ASA - HTTP Inspection

 

Assumptions

All changes we do in global service-police but you can change it if you wish

After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)

 

Standard HTTP inspection can be enabled in the following way:

 

(config)# policy-map global_policy

(config-pmap)# class inspection_default

(config-pmap-c)# inspect http

(config-pmap-c)# exit

(config-pmap)# exit


Inspect: http, packet 5865, drop 0, reset-drop 0

 

Advanced Inspection

EXAMPLE 1

  • Change HTTP Server header.

 

(config)# policy-map type inspect http danpol-http

(config-pmap)# parameters

(config-pmap-p)# spoof-server "Addura Services HTTP Server"

(config-pmap-p)# exit

(config-pmap)# exit

(config)# policy-map global_policy

(config-pmap)# class inspection_default

(config-pmap-c)# inspect http danpol-http

(config-pmap-c)# exit

(config-pmap)# exit

Enabling advanced inspection

 TEST

http-inspection-1.PNG

Inspect: http danpol-http, packet 88, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

 

 

 EXAMPLE 2

  • Enable HTTP strict option.

 

(config)# policy-map type inspect http danpol-http

(config-pmap)# parameters

(config-pmap-p)# protocol-violation action drop-connection log

(config-pmap-p)# exit

(config-pmap)# exit

We enabled action "drop-connection log" however you can also enable "reset log". The difference is  first drops connection but second drops and send TCP reset.


EXAMPLE 3

  • Block HTTP method "POST".


(config)# policy-map type inspect http danpol-http

(config-pmap-p)# match request method post

(config-pmap-c)# drop-connection log

config-pmap-c)# exit

(config-pmap)# exit

TEST

Mar 09 2013 00:06:03: %ASA-5-415009: HTTP - matched request method post in policy-map danpol-http, method matched - Dropping connection from outside:x.x.x.x/4000 to inside:10.10.1.10/80

 

 

EXAMPLE 4

  • Block access to youtube sites.

 

(config)# policy-map type inspect http danpol-http

(config-pmap)# match request header host regex youtube

(config-pmap-c)# reset log

config-pmap-c)# exit

(config-pmap)# exit

TEST

http-inspection-2.PNG

Mar 08 2013 23:58:29: %ASA-5-415008: HTTP - matched request header host regex youtube in policy-map danpol-http, header matched - Resetting connection from inside:10.10.1.10/34550 to outside: 217.119.79.59/80

 

 EXAMPLE 5

  • Block access to Internet or Web servers for all Mozilla browsers and their clone

(config)#regex Mozilla "Mozilla"

(config)# policy-map type inspect http danpol-http
(config-pmap)# match request header user-agent regex Mozilla

(config-pmap-c)# reset log

(config-pmap-c)# exit

(config-pmap)# exit

 

 TEST

Mar 09 2013 09:09:20: %ASA-5-415008: HTTP - matched request header user-agent regex Mozilla in policy-map danpol-http, header matched - Resetting connection from inside:10.10.1.10/44143 to outside: 5.39.93.217/80

 

 dzbanek 2013-03-09


This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.