Sunday 3 March 2013

ASA MPF - HTTP traffic inspection

1. Identify the traffic on which you want to perform Modular Policy Framework actions by creating Layer 3/4 class maps
access-list http_80 extended permit tcp any any eq www class-map httptraffic match access-list http_80

 2. Create a inspection policy map in order to tune the http engine inspection

Example: Match URLs with domain name yahoo.com, facebook.com, youtube.com

regex domainlist1 "\.yahoo\.com"regex domainlist2 "\.facebook\.com"regex domainlist3 "\.youtube\.com"
class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex domainlist3
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

 3. Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map
Example: Inspect HTTP traffic. Reset TCP connection upon any HTTP protocol violation.Reset HTTP connection to URLs with domain name yahoo.com, faceboo.com, youtube.com.  Restrict number of the HTTP connection to 300. Reset the number of half-opened (embryonic connection) for HTTP to 50.

policy-map type inspect http http_inspection_policy
  parameters
  protocol-violation action drop-connection
  class BlockDomainsClass
    reset log
policy-map inside-policy
  class httptraffic
   inspect http http_inspection_policy
    set connection conn-max 300 embryonic-conn-max 50 

 4.Apply the policy map using a service policy (global or at interface-level)

service-policy inside-policy interface inside


5. Verification:

ciscoasa#  show service-policy interface inside 
Interface inside:  Service-policy: inside-policy    Class-map: httptraffic      Inspect: http http_inspection_policy, packet 20678, drop 22, reset-drop 12      Set connection policy: conn-max 300 embryonic-conn-max 50         current embryonic conns 0, current conns 0, drop 0
ciscoasa#  show service-policy inspect http     
Interface inside:  Service-policy: inside-policy    Class-map: httptraffic      Inspect: http http_inspection_policy, packet 20678, drop 22, reset-drop 12        protocol violations          packet 2        class BlockDomainsClass          reset log, packet 12        class BLOCK_URL          reset log, packet 0
 ciscoasa# show logging
%ASA-6-302013: Built outbound TCP connection 10797 for outside:31.13.72.39/80 (31.13.72.39/80) to inside:10.1.1.2/56587 (192.168.223.150/56587)
%ASA-5-415008: HTTP - matched Class 22: BlockDomainsClass in policy-map http_inspection_policy, header matched - Resetting connection from inside:10.1.1.2/56587 to outside: 31.13.72.39/80
%ASA-5-304001: 10.1.1.2 Accessed URL 31.13.72.39:http://www.facebook.com/
%ASA-4-507003: tcp flow from inside:10.1.1.2/56587 to outside:31.13.72.39/80 terminated by inspection engine, reason - reset unconditionally.
%ASA-6-302014: Teardown TCP connection 10797 for outside:31.13.72.39/80 to inside:10.1.1.2/56587 duration 0:00:00 bytes 0 Flow closed by inspection


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)