Thanks Piotr

Till today, I have not seen any docs or workbooks insisting for configuring
http inspection when configuring url filter. Pity is, we can't verify url
filter end to end :-(

With regards
Kings

On Thu, Nov 10, 2011 at 7:56 PM, Piotr Matusiak <[email protected]> wrote:

> Hi Kings,
>
> Without HTTP Inspection enabled, the ASA will NOT get URL from HTTP
> header. You must enable it to be send to URL Filetring server. If your
> server is DOWN without specifying 'allow' option the ASA will deny all
> packets destined to port 80 without even checking URL.
>
> Regards,
> Piotr
>
>
> 2011/11/10 Kingsley Charles <[email protected]>
>
>> Hi all
>>
>> As per the following snippet, http inspection is required for filtering.
>>
>> Snippet from
>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632
>>
>>
>> Use the HTTP inspection engine to protect against specific attacks and
>> other threats that may be associated with HTTP traffic. HTTP inspection
>> performs several functions:
>>
>> •Enhanced HTTP inspection
>>
>> •URL screening through N2H2 or Websense
>>
>> •Java and ActiveX filtering
>>
>> The latter two features are configured in conjunction with the 
>> *filter*command.
>>
>> I configured a dummy non existent url-server and configured the following
>> rule. Hence any http request will be dropped as there is no "allow"
>> configured along with the following rule. My http request
>> gets denied across the ASA but I didn't enable http inspection.
>>
>> filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
>>
>>
>> My default, http inspection is not configured under policy-map
>> global_policy.
>>
>> If there is a task asked to configure for filtering, should we enable
>> http inspection or not?
>>
>>
>> With regards
>> Kings
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to