Inspecting http traffic on the ASA

Similar Messages

• Redirecting http traffic to the proxy server

  Hi,
  We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
  Requirement:
  We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
  Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ? 

  Hi,
  To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
  Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
  (DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
  Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
  Thanks and Regards,
  Vibhor Amrodia

• ASA - What is allowing return HTTP traffic?

  Hi,
  I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?
  Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.
  I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).
  Thanks for any help.

  Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
  So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
  The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
  ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
  But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
  Jon

• How to block youtube and facebook via HTTPs in CX on ASA-X ?

  How to block youtube and facebook via HTTPs in CX on ASA-X ?
  now i use decrypt feature on CX module but can not block https traffic. Could you help me.

  Hi,
  Double-check your CX configuration with this guide:
  http://tools.cisco.com/squish/fCA6D
  And make sure you are redirecting HTTPS traffic to the CX
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• RV042 - Priority Routing HTTP Traffic Over WAN2?

  Hi,
  I have an RV042 set to load balancing.  WAN1 is a T1 and WAN2 is an ADSL connection.  It seems that more often than not web traffic is going out over the slower WAN1, so I'd like to try to route http traffic over the ADSL before the T1 due to the higher download speed.
  Is there a way to do this?
  Thanks!

  blasty,
  Yes it is possible. It is called protocol binding, and the configuration steps for this can be found on page 23 of this guide:
  http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf
  If you have any problems please post them in as much detail as possible.
  Bill

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• Problem sending https traffic

  I have an app installed on WL9.2 which needs to connect to a web service over SSL from within the WL VM. When I run my junit test cases (outside the WL VM) all is well and I can connect and query the web service. From within WL I'm not even getting any packets sent at all (checked w/ Ethereal).
  Is there a config I need to set to allow https traffic from the WL VM?
  -darrel

  I amhaving the another problem very similar, I am struggling with client authentication with IIS 5.0, and receiving the 'Remote Host closed the connection' error.
  Is there any help me in this. I truly apprecaite it
  Thanks

• Internet Connection sharing and HTTP traffic

  Hello anyone,
  I have a late 2009 iMac and a late 2008 MacBook Air. I connect to the internet via a ADSL PPPoE modem, which is connected to the iMac via ethernet. I've set up the iMac to share the ADSL connection via AirPort to the MacBook Air, with WEP protection (it's either WEP or no protection at all, so I have to stick with it). Before the OS X Lion upgrade, everything worked fine (the iMac used Snow Leopard and the MacBook used Leopard). Now I have upgraded both comptuers to Lion: the iMac works flawlessly, but the MacBook Air is unable to get HTTP traffic from the iMac. IMAP, Skype, ICMP, XMPP and other protocols works fine but HTTP has some problems. First of all, I can get some web pages (either via a browser or curl), like Google and Google-owned sites (YouTube, Orkut, Blogger...), Macworld.com and some Italian sites, but if I try other sites, all I get is the browser to load something forever. If I ping these sites, they reply normally. If I try to get (for instance), Yahoo's homepage with curl all I get is a blank file (and curl shows that 0 bytes were transmitted/recieved). This problem is shown with every device I use via Wi-Fi, such as iPod touch, iPhone and another MacBook (with Snow Leopard on).
  So I guess there's some problem in iMac's Conncetion Sharing... has anyone a suggestion?
  Thanks
  Simone

  I no nothing about Windows. Nothing.
  But to configure your Mac to share an ehternet to wi-fi connect follow these steps;
  My Mac mini is connected to the internet by Ethernet cable to my ISP's Arris gateway. I am sharing the Ethernet connection to two iPod Touches, an iPhone and now an iPad 2 over AirPort from my Mac mini.
  1. In Sys Prefs/Sharing I highlighted Internet Sharing (do not check the box)
  2. Share your connection from: Ethernet (from the dropdown menu)
  3. To computers using: AirPort (check the little box)
  4. Press the button AirPort Options...
  5. Name your Network
  6. I use Automatic for the channel
  7. I encrypt my network using a 40-bit WEP key
  8. For a non-Apple device, like a Windows laptop or an XBox, you must use only a 5 alphanumeric character, 40-bit WEP password or only a 13 alphanumeric character, 128-bit WEP password
  9. Press OK
  10. Check the box for Internet Sharing
  11. Answer any dialog boxes that pop up
  Dah•veed

• ASA MPF on HTTP traffic

  Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
  how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
  thanks in advance, !!!

  Hello Terry,
  First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
  Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com)  and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able  to  block cisco.com as an example.
  You can also match the URI, etc etc and then apply the rigth http inspection paramater.
  Please rate helpful posts.
  Regards,
  Julio

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• ASA 5510 not allowing some https traffic

  I have 2 ASA 5510's in a failover bundle.  I have a weird issue right now, where a site (https) is apparently getting blocked behind the firewall.  If I browse to the site, it just spins, then says the page could not be displayed.  I can ping the IP address, and I can browse to the http version of the page, but I cannot browse to the https site.  If I plug into the DMZ on the outside of the firewall, I can see the page no problem. There is something in the ASA that is blocking it.  We certainly allow 443 out, and use https heavily, all the time.  It's just this one site, which is weird, because I know ASA's don't do deep packet inspection.  Can anyone think of what would be causing this?

  Well, we figured this out.  It actually wasn't the firewall.  It was DNS resolution.  This particular site's DNS was all messed up.  When I was on the DMZ, I changed to another DNS server, which hadn't updated yet.  External DNS tests were all returning either no records or just the generic Network Solutions IP, which would give you a landing page.  We used the hosts file to get around it until they fixed their DNS pointers. 

• Should I disable ESMTP inspect engine on the ASA??

  Hello all,
  I read a lot of blog that recomend disable the ESMTP inspect engine because in the mostly time affects email comunication servers between networks.
  It is a good pratice ??
  Thank you  !!!!!

  Hi Konsu,
  You will find your answer here:
  https://supportforums.cisco.com/message/3110997#3110997
  Hope that helps.
  Varun

• AnyConnect VPN doesn't access the ASA

  Hello,
  I have an ASA 5512-x configured as a VPN AnyConnect concentrator, but when I connect I can't access the firewall... I can ping the address 10.4.11.2 but I can't connect... Any idea what to do? This is the running configuration:
  : Saved
  ASA Version 8.6(1)2
  hostname asa-oi
  domain-name xx.xx.xx.xx
  enable password 7Hb0WWuK1NRtRaEy encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 1.1.1.1 DefaultGW-Outside description Default Gateway Outside
  name 10.4.11.1 DefaultGW-Inside description Default Gateway Inside
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  ip address 10.4.11.2 255.255.255.0
  interface GigabitEthernet0/5
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5.2000
  vlan 2000
  nameif outside
  security-level 0
  ip address 1.1.1.2 255.255.255.252
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  management-only
  boot system disk0:/asa861-2-smp-k8.bin
  ftp mode passive
  clock timezone BRST -3
  clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 1.1.1.1
  name-server 1.1.1.2
  domain-name xx.xx.xx.xx
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network PoolAnyConnect
  subnet 10.6.4.0 255.255.252.0
  access-list outside_in extended permit ip any any
  access-list tunneled standard permit 10.0.0.0 255.0.0.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffer-size 1048576
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool PoolAnyConnect 10.6.4.1-10.6.7.254 mask 255.255.252.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static PoolAnyConnect PoolAnyConnect no-proxy-arp route-lookup
  nat (outside,inside) source static PoolAnyConnect PoolAnyConnect no-proxy-arp route-lookup
  access-group outside_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DefaultGW-Outside 1
  route inside 10.0.0.0 255.0.0.0 DefaultGW-Inside 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server LDAP protocol ldap
  aaa-server LDAP (inside) host 3.3.3.3
  timeout 5
  ldap-base-dn o=xx
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  server-type novell
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 2.2.2.2 255.255.255.240 outside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 2.2.2.2 255.255.255.240 outside
  ssh timeout 10
  console timeout 10
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption aes128-sha1 aes256-sha1 3des-sha1
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GrpPolicyAnyConnect internal
  group-policy GrpPolicyAnyConnect attributes
  dns-server value 1.1.1.1 1.1.1.2
  vpn-simultaneous-logins 1000
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value tunneled
  default-domain value xx.xx.xx.xx
  username admin password Dp4l7Cmqr7SMHl.l encrypted privilege 15
  tunnel-group AnyConnect type remote-access
  tunnel-group AnyConnect general-attributes
  address-pool PoolAnyConnect
  authentication-server-group LDAP
  default-group-policy GrpPolicyAnyConnect
  tunnel-group AnyConnect webvpn-attributes
  group-alias AnyConnect enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ctiqbe
    inspect http
    inspect dcerpc
    inspect dns
    inspect icmp
    inspect icmp error
    inspect ils
    inspect ipsec-pass-thru
    inspect mgcp
    inspect pptp
    inspect snmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:9399e42e238b5824eebaa115c93ad924
  : end
  Btw, I changed NAT configuration a lot of times trying to solve the problem, this one is the current one...

  I didn't remember if I already tried it, anyway, I tried now:
  asa-oi(config)# sh run nat
  nat (inside,outside) source static any any destination static PoolAnyConnect PoolAnyConnect route-lookup
  nat (outside,inside) source static PoolAnyConnect PoolAnyConnect route-lookup
  but no difference, had the same problem...
  Btw, when I try to connect via SSH, these logs messages appears: (don't know if it can help)
  Syslog ID: 302013
  Source IP Add: 10.6.4.1
  Source Port: 2181
  Dest IP Add: 10.4.11.2
  Dest Port: 22
  Description: Built inbound TCP connection 202412 for outside:10.6.4.1/2181 (10.6.4.1/2181)(LOCAL\VpnAnyConnect) to identity:10.4.11.2/22 (10.4.11.2/22) (VpnAnyConnect)
  Syslog ID: 302014
  Source IP Add: 10.6.4.1
  Source Port: 2181
  Dest IP Add: 10.4.11.2
  Dest Port: 22
  Description: Teardown TCP connection 202412 for outside:10.6.4.1/2181(LOCAL\VpnAnyConnect) to identity:10.4.11.2/22 duration 0:00:30 bytes 0 SYN Timeout (VpnAnyConnect)

• Verification on the asa 8.4 5505 about PAT and port forwarding.

  hi all
  ihae topology as blow :
  inside------------eth0/1-------asa---eth0/7---------outside-------------------internet
  my goal is
  i want to make pat of inside network  (10.66.12.0/24) with outside interface when it request the internet
  also ,
  i need port forwaridng to following hosts :
  10.66.12.122 to 3389
  10.66.12.249 to http
  10.66.12.249 to https
  10.66.12.249 to citrix
  =============================================================
  just  m i need somebody to check my config it is correct
  =============================================================
  i have asda 5505 with :
  ASAAAAA(config)# sh version
  Cisco Adaptive Security Appliance Software Version 8.4(2)
  Device Manager Version 6.4(5)
  Compiled on Wed 15-Jun-11 18:17 by builders
  System image file is "disk0:/asa842-k8.bin"
  Config file at boot was "startup-config"
  ASAAAAA up 1 hour 32 mins
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode        : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Int: Internal-Data0/0    : address is d48c.b597.ce35, irq 11
  1: Ext: Ethernet0/0         : address is d48c.b597.ce2d, irq 255
  2: Ext: Ethernet0/1         : address is d48c.b597.ce2e, irq 255
  3: Ext: Ethernet0/2         : address is d48c.b597.ce2f, irq 255
  4: Ext: Ethernet0/3         : address is d48c.b597.ce30, irq 255
  5: Ext: Ethernet0/4         : address is d48c.b597.ce31, irq 255
  6: Ext: Ethernet0/5         : address is d48c.b597.ce32, irq 255
  7: Ext: Ethernet0/6         : address is d48c.b597.ce33, irq 255
  8: Ext: Ethernet0/7         : address is d48c.b597.ce34, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces       : 8              perpetual
  VLANs                             : 3              DMZ Restricted
  Dual ISPs                         : Disabled       perpetual
  VLAN Trunk Ports                  : 0              perpetual
  Inside Hosts                      : 50             perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 10             perpetual
  Total VPN Peers                   : 25             perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.
  Serial Number: JMX162740GP
  Running Permanent Activation Key: 0x6801f547 0xe81c57c4 0x20f339f4 0xaaf48040 0x
  480e2fbc
  Configuration register is 0x100003
  Configuration last modified by enable_15 at 23:58:15.999 UTC Wed Jan 22 2014
  ASAAAAA(config)# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ASAAAAA
  enable password ffffCCSH encrypted
  passwd 2KFfffff2KYOU encrypted
  names
  interface Ethernet0/0
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 2
  interface Vlan1
  nameif ins
  security-level 100
  ip address 10.66.12.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 50
  ip address  x.x.55.34 255.255.255.248
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-0.0.0.0
  host 0.0.0.0
  object network localsubnet
  subnet 10.66.12.0 255.255.255.0
  description localsubnet
  object network HTTP-Host
  host 10.66.12.249
  description web server
  object network HTTPS-HOST
  host 10.66.12.249
  description Https
  object network RDP-Host
  host 10.66.12.122
  description RDP host
  object network citrix-host
  host 10.66.12.249
  description citrix
  object service rdp
  service tcp destination eq 3389
  object service https
  service tcp destination eq https
  object service citrix
  service tcp destination eq 2598
  object service http
  service tcp destination eq www
  object-group network RDP-REDIRECT
  object-group network HTTP-REDIRECT
  object-group network HTTPS-REDIRECT
  object-group network CITRIX-ICA-HDX-REDIRECTION
  object-group network CITRIX-ICA-SESSION-RELIABILITY-REDIRECTION
  object-group service CITRIX-ICA-HDX
  object-group service CITRIX-SR
  object-group service RDP
  object-group network MY-insideNET
  network-object 10.66.12.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object object citrix
  service-object object http
  service-object object https
  service-object object rdp
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
  ny interface outside
  pager lines 24
  mtu ins 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  nat (ins,outside) source static RDP-Host interface service rdp rdp
  nat (ins,outside) source static HTTP-Host interface service http http
  nat (ins,outside) source static citrix-host interface service citrix citrix
  object network obj_any
  nat (ins,outside) dynamic obj-0.0.0.0
  object network localsubnet
  nat (ins,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.55.33 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.66.12.0 255.255.255.0 ins
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
      308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
      0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
      30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
      13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
      0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
      20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
      65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
      65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
      30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
      30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
      496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
      74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
      68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
      3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
      63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
      0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
      a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
      9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
      7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
      15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
      63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
      18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
      4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
      81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
      db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
      ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
      45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
      2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
      1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
      03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
      69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
      02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
      6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
      c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
      69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
      1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
      481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
      b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
      5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
      6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
      6c2527b9 deb78458 c61f381e a4c4cb66
    quit
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ADMIN password 5iEuCUW0P3ThngqY encrypted privilege 15
  username cisco password eT0.bmvcLOAQcNEL encrypted privilege 15
  prompt hostname context
  call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
  CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:65c9b8c35749959d1159e162ff106166
  : end
  =======================================================
  i configured PAT , PORTFORWARD and ACCESS RULES
  just want to mae verification to my work
  regards

  Hi,
  Dont think I can really give you an answer but thought I'd write anyway.
  It does seem on the basis of the documentation of the ASA (8.4) that with Twice NAT you wont be able to do any modifications to the DNS replies.
  Heres one quote from Configuration Guide
  Gonfiguring Network Address Translation -> Information About NAT -> DNS and NAT
  If you configure a twice NAT rule, you cannot configure DNS modification if you specify the sourceaddress as well as the destination address. These kinds of rules can potentially have a differenttranslation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match theIP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not containinformation about which source/destination address combination was in the packet that prompted theDNS request.
  So if I'm not totally wrong I guess your options might be to either
  Start doing changes to the local DNS server directly?
  Separate the remote overlapping network from your current firewall with another firewall device?
  I dont know the whole setup so this might be impossible
  Thinking that if the NAT for the remote overlapping network was done on another firewall it could do the DNS reply changes before they arrived on your ASA from the remote DNS server?
  I have not really had to tackle such a situation before. I most commonly run into situations where a customer has public IP configured with 1:1 Static NAT and there is no DNS parameter in the Static NAT configuration while the customer tries to use the DNS name to connect to their local server.
  Just some of my thoughts. Maybe someone else might have more expirience with same type of situations.
  - Jouni

• Inspect http issue - unable to browse secure site.

  Hi,
  Current version of the asa firewall is 7.1(2) in which when the inspect http is enabled, while opening secure site like axis bank account or any money market site either blank page display or page can not display error message appear. When i disable this command i am able to access all the secure sites properly. It looks like a bug but in the release not i am not finding any bug related to this issue. Please help me resolve this issue.
  Amit M.

  Thanks for the reply. When i disable http inspection and when i try to open login page for some of the site then this page cannot be display appear. Also i try MSS might get exceeded and found in the show asp drop tcp mss is not showing. But still i create a class for mass exceed and apply it in globle configuration but it does not work. Latter i have to disable the http inspection and it started working. Now the question is while clicking on login butten it will go from http to https page during this shifting of http to https why does it affect the connection when enable http inspection.
  Following is the show asp drop output.
  Please check
  PIXFIREWALL# sho asp drop
  Frame drop:
    Invalid IP header                                          10
    No route to host                                           13
    Reverse-path verify failed                             398846
    Flow is denied by configured rule                 107075
    Flow denied due to resource limitation          35
    Invalid SPI                                                 2
    First TCP packet not SYN                           62706
    TCP failed 3 way handshake                        1211
    TCP RST/FIN out of order                             39
    TCP packet SEQ past window                      1
    TCP invalid ACK                                          1
    TCP packet buffer full                                    209
    TCP RST/SYN in window                               14
    TCP DUP and has been ACKed                      10411
    TCP packet failed PAWS test                         10
    IPSEC tunnel is down                                     137
    IP option drop                                                551
    Expired flow                                                   26
    ICMP Inspect seq num not matched                1057
    ICMP Error Inspect different embedded conn     60
    DNS Inspect id not matched                            4674
    IPS Module requested drop                              8
    FP L2 rule drop                                               22988
    Interface is down                                             8
  Flow drop:
    Flow terminated by IPS                                     16
    NAT failed                                                       13066
    Tunnel being brought up or torn down                514
    Need to start IKE negotiation                            2136
    Inspection failure                                               60