Home > IT Blogs > Network technologies and trends > How to enable special http inspection for Cisco ASA firewall
>>VIEW ALL POSTS  

Network technologies and trends

«
»
Aug 14 2012   7:09AM GMT

How to enable special http inspection for Cisco ASA firewall



Posted by: Yasir Irfan
Cisco, Cisco Systems, Cisco Tips, Network Technologies and Trends, Networking

 

We had a special request from one of our clinicians; he was trying to access one of the health care portal with the URL http://apps.xxx.xx.sa:2000/. While he was trying to access the same portal from his office it was not accessible, whereas the same portal can accessed from any other location except our office.

While troubleshooting this issue we thought may be our Bluecoat proxy SG was blocking the port 2000 but that was not the case. We were facing the same problem even with static NAT from our ASA 5540 firewall.

One thing was sure the ASA 5540 firewall was blocking the access to the URL http://apps.xxx.xx.sa:2000/. We reviewed all our access list still nothing was wrong with that.  We thought might be some policy map is blocking the access, when we disabled the default policy-map as shown below

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect esmtp

sec/FW01-MB-IE-001(config)# policy-map global_policy

sec/FW01-MB-IE-001(config-pmap)# no class inspection_default

 

The url started working. Now one thing was sure, the problem lies with policy map. We cannot disable the default policy-map which Cisco configured by default in all ASA or PIX firewall, after reading the following documents from Cisco Systems

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html

 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

It was clear certain HTTP traffic need a special handling. When we enabled the default policy-map and added a command “inspect http”  as shown below the url can be accessed from our internal LAN.

 sec/FW01-MB-IE-001(config)# policy-map global_policy

sec/FW01-MB-IE-001(config-pmap)#  class inspection_default

sec/FW01-MB-IE-001(config-pmap-c)# inspect http

 

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment: