Inspecting http traffic on the ASA
The ASA default inspection policy includes a number of well-known applications and is applied globally on the system
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Now http inspection is NOT enabled by default, so typically, what I have done, was to go into the class-inspection-default and add it:
class inspection_default
inspect dns preset_dns_map
inspect http
But I was reading through some Cisco documentation that indicates this may not work, or is not the way to do it. They recommend creating new class maps, policies, etc. Example:
hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy global
So the question is, have I been doing this wrong? Will adding http inspection to the clsass inspection_default not work?
It was a Cisco document (I will try to find the link).
It said that http inspection is not enabled by default, but instead of instructing me to add it to the class inspection_default, it says to create a new class-map for http (see above).
It seemed like the implication here was that it wouldn't work within the inspection_default class, which makes no sense to me. Maybe I am just misreading it.
Have other people here added http to the class inspection_default?
Similar Messages
-
Redirecting http traffic to the proxy server
Hi,
We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
Requirement:
We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ?Hi,
To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
(DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
Thanks and Regards,
Vibhor Amrodia -
ASA - What is allowing return HTTP traffic?
Hi,
I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?
Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.
I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).
Thanks for any help.Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
Jon -
How to block youtube and facebook via HTTPs in CX on ASA-X ?
How to block youtube and facebook via HTTPs in CX on ASA-X ?
now i use decrypt feature on CX module but can not block https traffic. Could you help me.Hi,
Double-check your CX configuration with this guide:
http://tools.cisco.com/squish/fCA6D
And make sure you are redirecting HTTPS traffic to the CX
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
http://www.cisco.com/web/partners/tools/pdihd.html -
RV042 - Priority Routing HTTP Traffic Over WAN2?
Hi,
I have an RV042 set to load balancing. WAN1 is a T1 and WAN2 is an ADSL connection. It seems that more often than not web traffic is going out over the slower WAN1, so I'd like to try to route http traffic over the ADSL before the T1 due to the higher download speed.
Is there a way to do this?
Thanks!blasty,
Yes it is possible. It is called protocol binding, and the configuration steps for this can be found on page 23 of this guide:
http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf
If you have any problems please post them in as much detail as possible.
Bill -
Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI
-- Requirement --
I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
The web server instance has two listen sockets, 80 and 443.
The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
-- Current set-up --
The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
How can I constrain the reverse proxying to HTTPS traffic?
Thanks for your help,
JezThanks Chris that worked perfectly.
Aside
Before your solution I had (unsuccessfully) tried the following obj.conf directive
<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
</Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner? -
I have an app installed on WL9.2 which needs to connect to a web service over SSL from within the WL VM. When I run my junit test cases (outside the WL VM) all is well and I can connect and query the web service. From within WL I'm not even getting any packets sent at all (checked w/ Ethereal).
Is there a config I need to set to allow https traffic from the WL VM?
-darrelI amhaving the another problem very similar, I am struggling with client authentication with IIS 5.0, and receiving the 'Remote Host closed the connection' error.
Is there any help me in this. I truly apprecaite it
Thanks -
Internet Connection sharing and HTTP traffic
Hello anyone,
I have a late 2009 iMac and a late 2008 MacBook Air. I connect to the internet via a ADSL PPPoE modem, which is connected to the iMac via ethernet. I've set up the iMac to share the ADSL connection via AirPort to the MacBook Air, with WEP protection (it's either WEP or no protection at all, so I have to stick with it). Before the OS X Lion upgrade, everything worked fine (the iMac used Snow Leopard and the MacBook used Leopard). Now I have upgraded both comptuers to Lion: the iMac works flawlessly, but the MacBook Air is unable to get HTTP traffic from the iMac. IMAP, Skype, ICMP, XMPP and other protocols works fine but HTTP has some problems. First of all, I can get some web pages (either via a browser or curl), like Google and Google-owned sites (YouTube, Orkut, Blogger...), Macworld.com and some Italian sites, but if I try other sites, all I get is the browser to load something forever. If I ping these sites, they reply normally. If I try to get (for instance), Yahoo's homepage with curl all I get is a blank file (and curl shows that 0 bytes were transmitted/recieved). This problem is shown with every device I use via Wi-Fi, such as iPod touch, iPhone and another MacBook (with Snow Leopard on).
So I guess there's some problem in iMac's Conncetion Sharing... has anyone a suggestion?
Thanks
SimoneI no nothing about Windows. Nothing.
But to configure your Mac to share an ehternet to wi-fi connect follow these steps;
My Mac mini is connected to the internet by Ethernet cable to my ISP's Arris gateway. I am sharing the Ethernet connection to two iPod Touches, an iPhone and now an iPad 2 over AirPort from my Mac mini.
1. In Sys Prefs/Sharing I highlighted Internet Sharing (do not check the box)
2. Share your connection from: Ethernet (from the dropdown menu)
3. To computers using: AirPort (check the little box)
4. Press the button AirPort Options...
5. Name your Network
6. I use Automatic for the channel
7. I encrypt my network using a 40-bit WEP key
8. For a non-Apple device, like a Windows laptop or an XBox, you must use only a 5 alphanumeric character, 40-bit WEP password or only a 13 alphanumeric character, 128-bit WEP password
9. Press OK
10. Check the box for Internet Sharing
11. Answer any dialog boxes that pop up
Dah•veed -
Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
thanks in advance, !!!Hello Terry,
First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com) and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able to block cisco.com as an example.
You can also match the URI, etc etc and then apply the rigth http inspection paramater.
Please rate helpful posts.
Regards,
Julio -
MPF ASA for Web Filtering. Https traffic
SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
Hi all,
I have the following configuration in my ASA based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
access-list WEBFILTER extended permit tcp any any eq www
access-list WEBFILTER extended permit tcp any any eq https
regex allowex1 “website1\.com”
regex allowex2 “website2\.com”
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list WEBFILTER
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
service-policy allow-user-url-policy interface inside
HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
Thanks in advance for your help
JuanIs it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
(config)# class-map type inspect ?
configure mode commands/options:
dns Configure a class-map of type DNS
ftp Configure a class-map of type FTP
h323 Configure a class-map of type H323
http Configure a class-map of type HTTP
im Configure a class-map of type IM
sip Configure a class-map of type SIP -
ASA 5510 not allowing some https traffic
I have 2 ASA 5510's in a failover bundle. I have a weird issue right now, where a site (https) is apparently getting blocked behind the firewall. If I browse to the site, it just spins, then says the page could not be displayed. I can ping the IP address, and I can browse to the http version of the page, but I cannot browse to the https site. If I plug into the DMZ on the outside of the firewall, I can see the page no problem. There is something in the ASA that is blocking it. We certainly allow 443 out, and use https heavily, all the time. It's just this one site, which is weird, because I know ASA's don't do deep packet inspection. Can anyone think of what would be causing this?
Well, we figured this out. It actually wasn't the firewall. It was DNS resolution. This particular site's DNS was all messed up. When I was on the DMZ, I changed to another DNS server, which hadn't updated yet. External DNS tests were all returning either no records or just the generic Network Solutions IP, which would give you a landing page. We used the hosts file to get around it until they fixed their DNS pointers.
-
Should I disable ESMTP inspect engine on the ASA??
Hello all,
I read a lot of blog that recomend disable the ESMTP inspect engine because in the mostly time affects email comunication servers between networks.
It is a good pratice ??
Thank you !!!!!Hi Konsu,
You will find your answer here:
https://supportforums.cisco.com/message/3110997#3110997
Hope that helps.
Varun -
AnyConnect VPN doesn't access the ASA
Hello,
I have an ASA 5512-x configured as a VPN AnyConnect concentrator, but when I connect I can't access the firewall... I can ping the address 10.4.11.2 but I can't connect... Any idea what to do? This is the running configuration:
: Saved
ASA Version 8.6(1)2
hostname asa-oi
domain-name xx.xx.xx.xx
enable password 7Hb0WWuK1NRtRaEy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 1.1.1.1 DefaultGW-Outside description Default Gateway Outside
name 10.4.11.1 DefaultGW-Inside description Default Gateway Inside
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.4.11.2 255.255.255.0
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
interface GigabitEthernet0/5.2000
vlan 2000
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 1.1.1.1
name-server 1.1.1.2
domain-name xx.xx.xx.xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PoolAnyConnect
subnet 10.6.4.0 255.255.252.0
access-list outside_in extended permit ip any any
access-list tunneled standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PoolAnyConnect 10.6.4.1-10.6.7.254 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static PoolAnyConnect PoolAnyConnect no-proxy-arp route-lookup
nat (outside,inside) source static PoolAnyConnect PoolAnyConnect no-proxy-arp route-lookup
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 DefaultGW-Outside 1
route inside 10.0.0.0 255.0.0.0 DefaultGW-Inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 3.3.3.3
timeout 5
ldap-base-dn o=xx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
server-type novell
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 2.2.2.2 255.255.255.240 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 2.2.2.2 255.255.255.240 outside
ssh timeout 10
console timeout 10
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GrpPolicyAnyConnect internal
group-policy GrpPolicyAnyConnect attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-simultaneous-logins 1000
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunneled
default-domain value xx.xx.xx.xx
username admin password Dp4l7Cmqr7SMHl.l encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool PoolAnyConnect
authentication-server-group LDAP
default-group-policy GrpPolicyAnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ctiqbe
inspect http
inspect dcerpc
inspect dns
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect pptp
inspect snmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9399e42e238b5824eebaa115c93ad924
: end
Btw, I changed NAT configuration a lot of times trying to solve the problem, this one is the current one...I didn't remember if I already tried it, anyway, I tried now:
asa-oi(config)# sh run nat
nat (inside,outside) source static any any destination static PoolAnyConnect PoolAnyConnect route-lookup
nat (outside,inside) source static PoolAnyConnect PoolAnyConnect route-lookup
but no difference, had the same problem...
Btw, when I try to connect via SSH, these logs messages appears: (don't know if it can help)
Syslog ID: 302013
Source IP Add: 10.6.4.1
Source Port: 2181
Dest IP Add: 10.4.11.2
Dest Port: 22
Description: Built inbound TCP connection 202412 for outside:10.6.4.1/2181 (10.6.4.1/2181)(LOCAL\VpnAnyConnect) to identity:10.4.11.2/22 (10.4.11.2/22) (VpnAnyConnect)
Syslog ID: 302014
Source IP Add: 10.6.4.1
Source Port: 2181
Dest IP Add: 10.4.11.2
Dest Port: 22
Description: Teardown TCP connection 202412 for outside:10.6.4.1/2181(LOCAL\VpnAnyConnect) to identity:10.4.11.2/22 duration 0:00:30 bytes 0 SYN Timeout (VpnAnyConnect) -
Verification on the asa 8.4 5505 about PAT and port forwarding.
hi all
ihae topology as blow :
inside------------eth0/1-------asa---eth0/7---------outside-------------------internet
my goal is
i want to make pat of inside network (10.66.12.0/24) with outside interface when it request the internet
also ,
i need port forwaridng to following hosts :
10.66.12.122 to 3389
10.66.12.249 to http
10.66.12.249 to https
10.66.12.249 to citrix
=============================================================
just m i need somebody to check my config it is correct
=============================================================
i have asda 5505 with :
ASAAAAA(config)# sh version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
ASAAAAA up 1 hour 32 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is d48c.b597.ce35, irq 11
1: Ext: Ethernet0/0 : address is d48c.b597.ce2d, irq 255
2: Ext: Ethernet0/1 : address is d48c.b597.ce2e, irq 255
3: Ext: Ethernet0/2 : address is d48c.b597.ce2f, irq 255
4: Ext: Ethernet0/3 : address is d48c.b597.ce30, irq 255
5: Ext: Ethernet0/4 : address is d48c.b597.ce31, irq 255
6: Ext: Ethernet0/5 : address is d48c.b597.ce32, irq 255
7: Ext: Ethernet0/6 : address is d48c.b597.ce33, irq 255
8: Ext: Ethernet0/7 : address is d48c.b597.ce34, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 50 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX162740GP
Running Permanent Activation Key: 0x6801f547 0xe81c57c4 0x20f339f4 0xaaf48040 0x
480e2fbc
Configuration register is 0x100003
Configuration last modified by enable_15 at 23:58:15.999 UTC Wed Jan 22 2014
ASAAAAA(config)# sh run
: Saved
ASA Version 8.4(2)
hostname ASAAAAA
enable password ffffCCSH encrypted
passwd 2KFfffff2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 2
interface Vlan1
nameif ins
security-level 100
ip address 10.66.12.1 255.255.255.0
interface Vlan2
nameif outside
security-level 50
ip address x.x.55.34 255.255.255.248
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network localsubnet
subnet 10.66.12.0 255.255.255.0
description localsubnet
object network HTTP-Host
host 10.66.12.249
description web server
object network HTTPS-HOST
host 10.66.12.249
description Https
object network RDP-Host
host 10.66.12.122
description RDP host
object network citrix-host
host 10.66.12.249
description citrix
object service rdp
service tcp destination eq 3389
object service https
service tcp destination eq https
object service citrix
service tcp destination eq 2598
object service http
service tcp destination eq www
object-group network RDP-REDIRECT
object-group network HTTP-REDIRECT
object-group network HTTPS-REDIRECT
object-group network CITRIX-ICA-HDX-REDIRECTION
object-group network CITRIX-ICA-SESSION-RELIABILITY-REDIRECTION
object-group service CITRIX-ICA-HDX
object-group service CITRIX-SR
object-group service RDP
object-group network MY-insideNET
network-object 10.66.12.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object citrix
service-object object http
service-object object https
service-object object rdp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
ny interface outside
pager lines 24
mtu ins 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (ins,outside) source static RDP-Host interface service rdp rdp
nat (ins,outside) source static HTTP-Host interface service http http
nat (ins,outside) source static citrix-host interface service citrix citrix
object network obj_any
nat (ins,outside) dynamic obj-0.0.0.0
object network localsubnet
nat (ins,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.55.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.66.12.0 255.255.255.0 ins
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ADMIN password 5iEuCUW0P3ThngqY encrypted privilege 15
username cisco password eT0.bmvcLOAQcNEL encrypted privilege 15
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65c9b8c35749959d1159e162ff106166
: end
=======================================================
i configured PAT , PORTFORWARD and ACCESS RULES
just want to mae verification to my work
regardsHi,
Dont think I can really give you an answer but thought I'd write anyway.
It does seem on the basis of the documentation of the ASA (8.4) that with Twice NAT you wont be able to do any modifications to the DNS replies.
Heres one quote from Configuration Guide
Gonfiguring Network Address Translation -> Information About NAT -> DNS and NAT
If you configure a twice NAT rule, you cannot configure DNS modification if you specify the sourceaddress as well as the destination address. These kinds of rules can potentially have a differenttranslation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match theIP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not containinformation about which source/destination address combination was in the packet that prompted theDNS request.
So if I'm not totally wrong I guess your options might be to either
Start doing changes to the local DNS server directly?
Separate the remote overlapping network from your current firewall with another firewall device?
I dont know the whole setup so this might be impossible
Thinking that if the NAT for the remote overlapping network was done on another firewall it could do the DNS reply changes before they arrived on your ASA from the remote DNS server?
I have not really had to tackle such a situation before. I most commonly run into situations where a customer has public IP configured with 1:1 Static NAT and there is no DNS parameter in the Static NAT configuration while the customer tries to use the DNS name to connect to their local server.
Just some of my thoughts. Maybe someone else might have more expirience with same type of situations.
- Jouni -
Inspect http issue - unable to browse secure site.
Hi,
Current version of the asa firewall is 7.1(2) in which when the inspect http is enabled, while opening secure site like axis bank account or any money market site either blank page display or page can not display error message appear. When i disable this command i am able to access all the secure sites properly. It looks like a bug but in the release not i am not finding any bug related to this issue. Please help me resolve this issue.
Amit M.Thanks for the reply. When i disable http inspection and when i try to open login page for some of the site then this page cannot be display appear. Also i try MSS might get exceeded and found in the show asp drop tcp mss is not showing. But still i create a class for mass exceed and apply it in globle configuration but it does not work. Latter i have to disable the http inspection and it started working. Now the question is while clicking on login butten it will go from http to https page during this shifting of http to https why does it affect the connection when enable http inspection.
Following is the show asp drop output.
Please check
PIXFIREWALL# sho asp drop
Frame drop:
Invalid IP header 10
No route to host 13
Reverse-path verify failed 398846
Flow is denied by configured rule 107075
Flow denied due to resource limitation 35
Invalid SPI 2
First TCP packet not SYN 62706
TCP failed 3 way handshake 1211
TCP RST/FIN out of order 39
TCP packet SEQ past window 1
TCP invalid ACK 1
TCP packet buffer full 209
TCP RST/SYN in window 14
TCP DUP and has been ACKed 10411
TCP packet failed PAWS test 10
IPSEC tunnel is down 137
IP option drop 551
Expired flow 26
ICMP Inspect seq num not matched 1057
ICMP Error Inspect different embedded conn 60
DNS Inspect id not matched 4674
IPS Module requested drop 8
FP L2 rule drop 22988
Interface is down 8
Flow drop:
Flow terminated by IPS 16
NAT failed 13066
Tunnel being brought up or torn down 514
Need to start IKE negotiation 2136
Inspection failure 60
Maybe you are looking for
-
System using CENVAT Payable A/C. Instead of CENVAT Receivable.
Dear All, When I am using A/P Credit Memo functionality to reverse the A/P Invoice on Excisable Goods, System creating automatic Outgoing Excise Invoice to reverse CENVAT A/C. In this transaction at the time of Incoming Excise Invoi
-
How do you add calculation columns to a table Region by using the Footer?
I have a requirement to add some aggregate metrics at the bottom of my "tableRegion". The "TotalValue" property value for the table is not going to work for me since I the data I'm calculating is more complicated then doing a simple "sum". My first t
-
Dust marks on the 'inside' of display
I have had my 24" iMac for just under a year. 3 months ago, I noticed strange dust-like marks on the inside of my display. They are definitely on the inside because i tried cleaning the display and they did not go away. This suggests that the iMac is
-
Problem with remove a node from a list
ArrayList<My_node> list = new ArrayList<My_node>(size_of_list); My_node is : public class My_node { public int key; public String value; public My_node(int x,String y) { key = x; value = y; public void del_(int num,String name) { for(j = 0;j<list.siz
-
Installing CC OK but crash at launch
"updated" Photoshop CC on Manager but crash at launch : JPB