Assumptions
All changes we do in global service-police but you can change it if you wish
After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)
Standard HTTP inspection can be enabled in the following way:
(config)# policy-map global_policy
(config-pmap)# class inspection_default
(config-pmap-c)# inspect http
(config-pmap-c)# exit
(config-pmap)# exit
Inspect: http, packet 5865, drop 0, reset-drop 0
Advanced Inspection
EXAMPLE 1
- Change HTTP Server header.
(config)# policy-map type inspect http danpol-http
(config-pmap)# parameters
(config-pmap-p)# spoof-server “Addura Services HTTP Server”
(config-pmap-p)# exit
(config-pmap)# exit
(config)# policy-map global_policy
(config-pmap)# class inspection_default
(config-pmap-c)# inspect http danpol-http
(config-pmap-c)# exit
(config-pmap)# exit
Enabling advanced inspection
TEST
Inspect: http danpol-http, packet 88, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
EXAMPLE 2
- Enable HTTP strict option.
(config)# policy-map type inspect http danpol-http
(config-pmap)# parameters
(config-pmap-p)# protocol-violation action drop-connection log
(config-pmap-p)# exit
(config-pmap)# exit
We enabled action “drop-connection log” however you can also enable “reset log”. The difference is first drops connection but second drops and send TCP reset.
EXAMPLE 3
- Block HTTP method “POST”.
(config)# policy-map type inspect http danpol-http
(config-pmap-p)# match request method post
(config-pmap-c)# drop-connection log
config-pmap-c)# exit
(config-pmap)# exit
TEST
Mar 09 2013 00:06:03: %ASA-5-415009: HTTP – matched request method post in policy-map danpol-http, method matched – Dropping connection from outside:x.x.x.x/4000 to inside:10.10.1.10/80
EXAMPLE 4
- Block access to youtube sites.
(config)# policy-map type inspect http danpol-http
(config-pmap)# match request header host regex youtube
(config-pmap-c)# reset log
config-pmap-c)# exit
(config-pmap)# exit
Mar 08 2013 23:58:29: %ASA-5-415008: HTTP – matched request header host regex youtube in policy-map danpol-http, header matched – Resetting connection from inside:10.10.1.10/34550 to outside: 217.119.79.59/80
EXAMPLE 5
- Block access to Internet or Web servers for all Mozilla browsers and their clone
(config)#regex Mozilla “Mozilla”
(config-pmap-c)# reset log
(config-pmap-c)# exit
(config-pmap)# exit
TEST
Mar 09 2013 09:09:20: %ASA-5-415008: HTTP – matched request header user-agent regex Mozilla in policy-map danpol-http, header matched – Resetting connection from inside:10.10.1.10/44143 to outside: 5.39.93.217/80
dzbanek 2013-03-09