Hi Kings,

Without HTTP Inspection enabled, the ASA will NOT get URL from HTTP header.
You must enable it to be send to URL Filetring server. If your server is
DOWN without specifying 'allow' option the ASA will deny all packets
destined to port 80 without even checking URL.

Regards,
Piotr


2011/11/10 Kingsley Charles <[email protected]>

> Hi all
>
> As per the following snippet, http inspection is required for filtering.
>
> Snippet from
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632
>
>
> Use the HTTP inspection engine to protect against specific attacks and
> other threats that may be associated with HTTP traffic. HTTP inspection
> performs several functions:
>
> •Enhanced HTTP inspection
>
> •URL screening through N2H2 or Websense
>
> •Java and ActiveX filtering
>
> The latter two features are configured in conjunction with the 
> *filter*command.
>
> I configured a dummy non existent url-server and configured the following
> rule. Hence any http request will be dropped as there is no "allow"
> configured along with the following rule. My http request
> gets denied across the ASA but I didn't enable http inspection.
>
> filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
>
>
> My default, http inspection is not configured under policy-map
> global_policy.
>
> If there is a task asked to configure for filtering, should we enable http
> inspection or not?
>
>
> With regards
> Kings
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to