Im trying to configure HTTP Inpsection with regex matching on a ASA 5505 (8.2) so that I can deny all websites apart from google and yahoo. And also enclude host 192.168.1.2 from this inspection. I have been through a number of examples and the syntax below appears correct but appears not to work. The logs report only that traffic has been dropped by the inspection policy.
View 11 RepliesI am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
[Code].....
let me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies View RelatedI Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).
View 11 Replies View RelatedI'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
I have come across articles mentioning that URL Filtering can be implemented by using ASA 5505 with URL Filtering Servers. But Websense and other Web Filtering Servers are paid ones ? Are there any free solutions available ? What exactly is N2H2 ? The reason is I don 't want to increase the CPU utilization of ASA by implementing URL filtering within the device. If I have around 30 nodes which connects to the internet via a 2Mbps line through ASA 5505 and if I want to block around say 10 or 15 URLs , will it increase CU utilization beyond permissible limits ? Currently the CPU Utilization is around 10 - 15 . Here's the infrastructure setup .
------------------------------------------------------------
Nodes -->Switches-->ASA 5505-->Internet
-------------------------------------------------------------
I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?
Could URL FIltering be implemented on Cisco ASA 5505-BUN-k9?i mean to block certain websites, like facebook, youtube, to block certain download files like .exe, .com .bat etc....Is there any extra license needed for this, or it could be done with the simple IOS ASA5505-bun-k9?
View 4 Replies View RelatedI am trying to do content-filtering over ssl VPN (clientless) on ASA 5505. [code]
View 2 Replies View RelatedI have a problem configuring url filtering on ASA 5505 rel 8.3.1: I have to block the web navigation to facebook and, with my configuration, it works fine.The problem is when I try to access on other sites where there are a links to facebook, I cannot see that site and not only the button of facebook.
regex urllist1 ".*.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
[code]....
I'm looking for a content filtering/antivirus/antispyware appliance for my company. Right now we have an ASA 5505 at the edge. We have several outside employees connecting via Cisco VPN clients to the ASA. I need an appliance that can do content filtering for my inside network, guest network, and VPN users. That's two local VLANs and a VPN pool which are all terminated at the ASA.
I've had good luck with Cymphonix in the past, but their boxes are a bit steep for the amount of throughput I need. We'll probably be moving from a 15/15 fiber connection to 80/10 cable soon since our provider can't seem to keep us online; even with an alleged "100%" SLA. They just don't have a network capable of anything close to 100% uptime, plain and simple.
I'd like to keep the ASA running as our firewall and VPN server, so the device needs to be able to do content filtering/av/as in a transparent mode.
configure my ASA 5505. It is setup using PPPoE. What I want to do is this:
I have one of my IP addresses (99.23.119.78) setup for ftp using the ftp protocol to our internal IP address 192.168.1.3. What I need is to also allow for HTTP access but not just that, I need it to forward the http port to port 9000 because the web interface requires port 9000 for customer access. Previously on our old firewall customers were able to access the web interface by browsing to [URL]. I would like to not have to not require the port in the URL.
In addition, I would like to be able to setup a different IP address in our range (99.23.119.73) to be setup for http access using the standard port 80 for the same internal IP address (192.168.1.3). This URL will allow us to access the administration web interface for the FTP server.
Here is my current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU
[Code].....
We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward
HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.
How can I do that? See scenario image (scenario.png) if needed.
I have an ASA 5505 that I am using to connect my contractors to via an inside interface, the outside interface is my private LAN. I have setup on our corporate Proxy server to allow traffic from my outside interface of my ASA to go to the internet without credentials BUT log internet activity. The question is I want to know if the ASA can send that http & https traffic to my proxy server and all other traffic to my default route? I want to be able to send all internet traffic to my proxy server. This will avoid me asking the contractors to place proxy credentials in their browsers.
View 6 Replies View RelatedMore and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.
View 4 Replies View RelatedWe have ASA 5580 with multiple context in our company. On the one of the context (where the DNS servers are located) i can see a lot of DNS drops.
View 1 Replies View RelatedI am aware there is a feature request but don't see any updates. Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS. We are currently running 7.0(5a)E4. I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.
View 1 Replies View RelatedI'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies View RelatedI have an SF-300-24 port switch and am having an issue. When a device says "Who has 192.168.0.1" (which is the default gateway) two devices are replying in the affirmative, and therefor the MAC address table is getting screwed up. I know the correct MAC address of 192.168.0.1 is 00:1b:21:95:02:b0, so how do I tell the router to disgard any packets that say otherwise? I tried to figure out DHCP snooping and IP source guard, and ARP Inspection, but I am not getting anywhere and keep losing connectivity to the switch.
Obviously a device on the network is misconfigured, unfortunately it is a large wireless network and the misconfigured device is 30 miles away on the top of a mountain. I am hoping to bandaid it locally and then eventually go out and fix the offending equipment.
I am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
Is there is a way to disable the TLS inspection for Cisco ASA5510?
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
How config dynamic alp inspection for 300 or 500 series ? I find in admin guide it's no simple to do.
View 8 Replies View Related-cisco 2651XM
-IOS: c2600-ipbasek9-mz.124-23.bin
I need to diable RDP packet inspection on this router but I can't find where I do that. I'm having troubele with audio on a sip line and I read here (bottom of page) url...that turning off RDP packet solved the problem. I've looked through the config and searched on google but couldn't find the asnwer. what is the command to turn off RDP packet inspection?
I have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps) I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network. I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.This computer has configured:DHCP with WINS Its on a windows domain has netbios over TCP.
View 1 Replies View RelatedOn FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
I have got a TMG 2010 and i want to use Skype through it. if HTTPS inspection is enabled skype doesn't work, if it is disabled skype is working.What can i do for using Skype behind a TMG with httsp inspection so i want to use 8080 port only.I have excluded the 1 PC from HTTPS inspection or the destination URLs from HTTPS inspection.
View 1 Replies View RelatedI have two RV 120W routers with a IPSec VPN.I have problems with VoIP traffic inside the VPN.In PIX and ASA systems I know the solution is disable h323 inspection. Possible to disable h323 inspection in a RV 120W Router?
View 2 Replies View Related