troubleshooting Question

cisco ASA http inspection small problem

Avatar of a77
a77 asked on
Hardware FirewallsCiscoNetwork Management
4 Comments2 Solutions1838 ViewsLast Modified:
good morning/evening our fellow experts around the world,

i'm having a tiny problem with HTTP inspection on cisco ASA5505, i'm trying to block video extensions, and it worked, but the problem is that once i apply this http inspection policy, when users try to open hotmail and yahoo messages, they can't, (inbox opens, but when they click on any email it does not open, hotmail shows "We can't connect to Hotmail right now. Please try again later"), when i disable this http inspection policy, everything works fine, i'm lost because i don't know where to look (also i'm an ASA noob)

below is a show run highlighting the important things:

regex video_extensions1 ".*\.flv|.*\.mpg|.*\.asf|.*\.asr|.*\.asx|.*\.avi|.*\.iv
|.*\.lsf|.*\.lsx|.*\.mlv|.*\.mp4|audio/.*"
regex video_extensions2 ".*\.mov|.*\.movie|.*\.mp2|.*\.mpa|.*\.mpe|.*\.mpeg|.*\
mpv2|.*\.qt|.*\.mkv|video/*"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
ftp mode passive
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp-udp eq www
 service-object tcp eq www
 service-object icmp
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object tcp eq www
 service-object icmp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
y interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2
ny interface outside
access-list outside_access_in_1 extended permit ip any any inactive
access-list inside_access_in_1 extended permit ip any any
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
!
dynamic-access-policy-record DfltAccessPolicy
!
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map type regex match-any extensionsBlockList
 match regex video_extensions2
 match regex video_extensions1
class-map type inspect http match-all blockExtensions
 match request uri regex class extensionsBlockList
class-map type inspect http match-all appheaderclass
 match request header regex contenttype regex applicationheader
class-map type inspect http match-all asdm_medium_security_methods
 match not request method head
 match not request method post
 match not request method get
class-map type inspect http match-all asdm_high_security_methods
 match not request method head
 match not request method get
class-map httptraffic
 match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class appheaderclass
  drop-connection log
 class blockExtensions
  reset log
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
service-policy inside-policy interface inside

Appreciate any help :)
thanks in advance.
ASKER CERTIFIED SOLUTION
TimotiSt
Senior Network Engineer
Join our community to see this answer!
Unlock 2 Answers and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros