Assumptions

All changes we do in global service-police but you can change it if you wish

After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)

 

Standard HTTP inspection can be enabled in the following way:

 

(config)# policy-map global_policy

(config-pmap)# class inspection_default

(config-pmap-c)# inspect http

(config-pmap-c)# exit

(config-pmap)# exit

 

Inspect: http, packet 5865, drop 0, reset-drop 0

 

Advanced Inspection

EXAMPLE 1

  • Change HTTP Server header.

 

(config)# policy-map type inspect http danpol-http

(config-pmap)# parameters

(config-pmap-p)# spoof-server “Addura Services HTTP Server”

(config-pmap-p)# exit

(config-pmap)# exit

(config)# policy-map global_policy

(config-pmap)# class inspection_default

(config-pmap-c)# inspect http danpol-http

(config-pmap-c)# exit

(config-pmap)# exit

Enabling advanced inspection

 TEST

http-inspection-1.PNG

Inspect: http danpol-http, packet 88, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

 

 

 EXAMPLE 2

  • Enable HTTP strict option.

 

(config)# policy-map type inspect http danpol-http

(config-pmap)# parameters

(config-pmap-p)# protocol-violation action drop-connection log

(config-pmap-p)# exit

(config-pmap)# exit

We enabled action “drop-connection log” however you can also enable “reset log”. The difference is  first drops connection but second drops and send TCP reset.

 

EXAMPLE 3

  • Block HTTP method “POST”.

 

(config)# policy-map type inspect http danpol-http

(config-pmap-p)# match request method post

(config-pmap-c)# drop-connection log

config-pmap-c)# exit

(config-pmap)# exit

TEST

Mar 09 2013 00:06:03: %ASA-5-415009: HTTP – matched request method post in policy-map danpol-http, method matched – Dropping connection from outside:x.x.x.x/4000 to inside:10.10.1.10/80

 

 

EXAMPLE 4

  • Block access to youtube sites.

 

(config)# policy-map type inspect http danpol-http

(config-pmap)# match request header host regex youtube

(config-pmap-c)# reset log

config-pmap-c)# exit

(config-pmap)# exit

TEST
 
http-inspection-2.PNG

Mar 08 2013 23:58:29: %ASA-5-415008: HTTP – matched request header host regex youtube in policy-map danpol-http, header matched – Resetting connection from inside:10.10.1.10/34550 to outside: 217.119.79.59/80

 

 EXAMPLE 5

  • Block access to Internet or Web servers for all Mozilla browsers and their clone

(config)#regex Mozilla “Mozilla”

(config)# policy-map type inspect http danpol-http
(config-pmap)# match request header user-agent regex Mozilla

(config-pmap-c)# reset log

(config-pmap-c)# exit

(config-pmap)# exit

 

 TEST

Mar 09 2013 09:09:20: %ASA-5-415008: HTTP – matched request header user-agent regex Mozilla in policy-map danpol-http, header matched – Resetting connection from inside:10.10.1.10/44143 to outside: 5.39.93.217/80

 

 dzbanek 2013-03-09