wajordan
asked on
Cisco ASA class inspection setting differences and effects
I have two firewalls that are behaving differenntly when routing traffic from the servers in the LAN to public IPs of other servers also is the LAN(inside). I believe hair pinning is what this type of traffic is called; its due to vendor application dependencies. I'm examining the config files of the ASAs for any differences and not finding much.
Both have this for instance:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
But in their class inspect settings I do see a few differences...
FW1:
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
FW2:
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
inspect snmp
policy-map type inspect http test
parameters
protocol-violation action drop-connection
!
FW2 is having the hair-pin routing issue and the traffic is HTTP that its dropping. As both firewalls are in production I don't want to just make changes without first knowing if this "protocol-violation action drop-connection" might be the cause of my problem. Is this causing my problem? If not is there other things I should look at?
Both have this for instance:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
But in their class inspect settings I do see a few differences...
FW1:
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
FW2:
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
inspect snmp
policy-map type inspect http test
parameters
protocol-violation action drop-connection
!
FW2 is having the hair-pin routing issue and the traffic is HTTP that its dropping. As both firewalls are in production I don't want to just make changes without first knowing if this "protocol-violation action drop-connection" might be the cause of my problem. Is this causing my problem? If not is there other things I should look at?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
please test it by changing the protocol-violation action to "log" instead of "drop-connection"
If that helped, read RFC 2616.
Rather than really identifying a http stream as malicious/not conform it could be, that the requesting browser/client is not sending some information in the HTTP request method, that is needed by the ASA to not mark it as protocol violation.
br
Alex