Thanks Piotr Till today, I have not seen any docs or workbooks insisting for configuring http inspection when configuring url filter. Pity is, we can't verify url filter end to end :-(
With regards Kings On Thu, Nov 10, 2011 at 7:56 PM, Piotr Matusiak <[email protected]> wrote: > Hi Kings, > > Without HTTP Inspection enabled, the ASA will NOT get URL from HTTP > header. You must enable it to be send to URL Filetring server. If your > server is DOWN without specifying 'allow' option the ASA will deny all > packets destined to port 80 without even checking URL. > > Regards, > Piotr > > > 2011/11/10 Kingsley Charles <[email protected]> > >> Hi all >> >> As per the following snippet, http inspection is required for filtering. >> >> Snippet from >> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632 >> >> >> Use the HTTP inspection engine to protect against specific attacks and >> other threats that may be associated with HTTP traffic. HTTP inspection >> performs several functions: >> >> •Enhanced HTTP inspection >> >> •URL screening through N2H2 or Websense >> >> •Java and ActiveX filtering >> >> The latter two features are configured in conjunction with the >> *filter*command. >> >> I configured a dummy non existent url-server and configured the following >> rule. Hence any http request will be dropped as there is no "allow" >> configured along with the following rule. My http request >> gets denied across the ASA but I didn't enable http inspection. >> >> filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 >> >> >> My default, http inspection is not configured under policy-map >> global_policy. >> >> If there is a task asked to configure for filtering, should we enable >> http inspection or not? >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
