in IPS state there is special purpose interface send reset to the client and server , but in case of drop I think it is just drop the packet , is not it ?
Date: Fri, 16 Sep 2011 22:31:44 -0600 From: [email protected] To: [email protected] Subject: [OSL | CCIE_Security] ASA HTTP Policy drop-connection Vs reset actions Hi folks, I just finished a self-made lab with ASA HTTP inspection . The only doubts that I got are concerned with policy-map actions in HTTP inspection. For example, i made a policy where all Internet Explorer HTTP connections were dropped, and it works fine. At ASA logging level I saw the next output: ASA-5-415008: HTTP - matched Class 22: BIN in policy-map BIN, header matched - Dropping connection from INSIDE:1.1.1.2/54826 to WEBSERVER: 4.2.2.2/80 %ASA-4-507003: tcp flow from INSIDE:1.1.1.2/54826 to WEBSERVER:4.2.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet. At wireshark level I saw the TCP handshake, the HTTP request and the TCP reset. Then, i change the action to reset and i got these: %ASA-5-415008: HTTP - matched Class 22: BIN in policy-map BIN, header matched - Resetting connection from INSIDE:1.1.1.2/54827 to WEBSERVER: 4.2.2.2/80 %ASA-4-507003: tcp flow from INSIDE:1.1.1.2/54827 to WEBSERVER:4.2.2.2/80 terminated by inspection engine, reason - reset unconditionally At wireshark level, same as before... The rest of the logs in ASA, the same too About the actions in HTTP Inspection in cisco.com: The drop-connection keyword drops the packet and closes the connection. The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. In both cases i see the same behavior at host level, including the reset at the end of the TCP trasmision. Is there a real difference between both actions? The same applies with IPS reset connection and drop connection inline action, but with the sensor i saw some TCP retransmisions before the reset was send, working with drop connection line. Regards. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
