Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
47-24
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 47 Configuring Inspection of Basic Internet Protocols
HTTP Inspection
The username, source IP address, destination IP address, NAT address, and the file operation are
logged.
Audit record 201005 is generated if the secondary dynamic channel preparation failed due to
memory shortage.
In conjunction with NAT, the FTP application inspection translates the IP address within the application
payload. This is described in detail in RFC 959.
HTTP Inspection
This section describes the HTTP inspection engine. This section includes the following topics:
HTTP Inspection Overview, page 47-24
Select HTTP Map, page 47-24
HTTP Class Map, page 47-25
Add/Edit HTTP Traffic Class Map, page 47-26
Add/Edit HTTP Match Criterion, page 47-26
HTTP Inspect Map, page 47-30
“URI Filtering” section on page 47-32
“Add/Edit HTTP Policy Map (Security Level)” section on page 47-32
“Add/Edit HTTP Policy Map (Details)” section on page 47-33
“Add/Edit HTTP Map” section on page 47-35
HTTP Inspection Overview
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated
with HTTP traffic. HTTP inspection performs several functions:
Enhanced HTTP inspection
URL screening through N2H2 or Websense
See Information About URL Filtering, page 42-2 for information.
Java and ActiveX filtering
The latter two features are configured in conjunction with Filter rules.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available
when you configure an HTTP map, can help prevent attackers from using HTTP messages for
circumventing network security policy. It verifies the following for all HTTP messages:
Conformance to RFC 2616
Use of RFC-defined methods only.
Compliance with the additional criteria.
Select HTTP Map
The Select HTTP Map dialog box is accessible as follows: