This time I'll talk about one common mistake often made by novice ASA admins when they try to configure protocol inspection. I saw too many broken Internet connections caused by this one, so it would be good to say something about it...
Let see what happens when you incorrectly select traffic for application inspection:
Wrong config:
http-map pure_http_only
strict-http action drop
policy-map AppLayerInspection
class web-traffic
inspect http pure_http_only
class-map http_traffic
match access-list http_traffic
access-list http_traffic permit ip any any
service-policy AppLayerInspection interface outside
Million $ question is what the hell is wrong with this config. Let's take a closer look...
Policy-map "AppLayerInspection" enforces strict (by RFC definition) HTTP on traffic classified by the class-map "http_traffic". And there is nothing wrong with that. The goal of strict HTTP inspection is that firewall recognizes if someone tries to run traffic which is not real HTTP trough port 80. The only problem with the configuration above is that class-map selects traffic according to access-list "http_traffic" which says permit ip any any. So if we have in mind that interface policy always supersedes global policy let's examine what ASA will do with for example simple outbound ping traffic:
We send ICMP ECHO from inside host to the Internet. This packet is processed by ASA firewall's outside interface service policy before it is sent to the upstream ISP router and since ICMP ECHO is definitely not a HTTP traffic crafted by RFC rules it's dropped. And the same destiny will find all other non-pure HTTP traffic including DNS, SMTP, etc, etc. So, practically your users will be able to connect only to some HTTP sites and all other connections will be denied!
So, what we should do to correct this major issue before phones starts ringing in panic? Simple change our "http_traffic" access-list into:
access-list http_traffic permit tcp any any eq 80
Now the access-list will select only packets with destination port 80 for the RFC HTTP compliance check and all other traffic will be processed by ASA global policy.
I think you mean for the following two commands to match (have the same name):
ReplyDeleteclass-map http_traffic
class web-traffic