Network technologies and trends

Aug 14 2012   7:09AM GMT

How to enable special http inspection for Cisco ASA firewall

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

 

We had a special request from one of our clinicians; he was trying to access one of the health care portal with the URL http://apps.xxx.xx.sa:2000/. While he was trying to access the same portal from his office it was not accessible, whereas the same portal can accessed from any other location except our office.

While troubleshooting this issue we thought may be our Bluecoat proxy SG was blocking the port 2000 but that was not the case. We were facing the same problem even with static NAT from our ASA 5540 firewall.

One thing was sure the ASA 5540 firewall was blocking the access to the URL http://apps.xxx.xx.sa:2000/. We reviewed all our access list still nothing was wrong with that.  We thought might be some policy map is blocking the access, when we disabled the default policy-map as shown below

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect esmtp

sec/FW01-MB-IE-001(config)# policy-map global_policy

sec/FW01-MB-IE-001(config-pmap)# no class inspection_default

 

The url started working. Now one thing was sure, the problem lies with policy map. We cannot disable the default policy-map which Cisco configured by default in all ASA or PIX firewall, after reading the following documents from Cisco Systems

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html

 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

It was clear certain HTTP traffic need a special handling. When we enabled the default policy-map and added a command “inspect http”  as shown below the url can be accessed from our internal LAN.

 sec/FW01-MB-IE-001(config)# policy-map global_policy

sec/FW01-MB-IE-001(config-pmap)#  class inspection_default

sec/FW01-MB-IE-001(config-pmap-c)# inspect http

 

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: