Comments on: CCIE Security – Cisco ASA Modular Policy Framework Example http://blogg.kvistofta.nu/ccie-security-cisco-asa-modular-policy-framework-example/ A Cisco Security-guy exploring the world Mon, 03 May 2010 22:24:07 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Jimmy Larsson http://blogg.kvistofta.nu/ccie-security-cisco-asa-modular-policy-framework-example/comment-page-1/#comment-73 Jimmy Larsson Fri, 08 Jan 2010 00:50:16 +0000 http://blogg.kvistofta.nu/?p=564#comment-73 One strange thing with my example above is that if I modify the access-list to define all ip or tcp-traffic from the host (that is: remove "eq ftp") it will kill most traffic from the host, including http and dns-traffic. It also logs the events like this:<br><br>%ASA-5-303004: FTP GET /x/331 command unsupported - failed strict inspection, terminating connection from inside:192.168.1.215/2597 to outside:69.63.178.129/80<br>%ASA-4-507003: tcp flow from inside:192.168.1.215/2597 to outside:69.63.178.129/80 terminated by inspection engine, reason - inspector drop reset.<br>%ASA-5-304001: 192.168.1.50 Accessed URL 69.63.178.129:/x/1545766483/false/p_723103014=14<br>%ASA-5-303004: FTP GET /x/363 command unsupported - failed strict inspection, terminating connection from inside:192.168.1.215/2598 to outside:69.63.178.129/80<br>%ASA-5-304001: 192.168.1.50 Accessed URL 69.63.178.129:/x/2682102391/false/p_723103014=15<br>%ASA-5-304001: 192.168.1.215 Accessed URL 69.63.187.17:/ajax/presence/reconnect.php?reason=1&iframe_loaded=true&post_form_id=64034a00a11a87e6c77c6c1c66a71bea&__a=1<br>%ASA-5-303004: FTP GET /x/893 command unsupported - failed strict inspection, terminating connection from inside:192.168.1.215/2599 to outside:69.63.178.129/80<br>%ASA-4-507003: tcp flow from inside:192.168.1.215/2599 to outside:69.63.178.129/80 terminated by inspection engine, reason - inspector drop reset.<br><br>So far I cant explain why. If someone knows, please tell me! One strange thing with my example above is that if I modify the access-list to define all ip or tcp-traffic from the host (that is: remove “eq ftp”) it will kill most traffic from the host, including http and dns-traffic. It also logs the events like this:

%ASA-5-303004: FTP GET /x/331 command unsupported – failed strict inspection, terminating connection from inside:192.168.1.215/2597 to outside:69.63.178.129/80
%ASA-4-507003: tcp flow from inside:192.168.1.215/2597 to outside:69.63.178.129/80 terminated by inspection engine, reason – inspector drop reset.
%ASA-5-304001: 192.168.1.50 Accessed URL 69.63.178.129:/x/1545766483/false/p_723103014=14
%ASA-5-303004: FTP GET /x/363 command unsupported – failed strict inspection, terminating connection from inside:192.168.1.215/2598 to outside:69.63.178.129/80
%ASA-5-304001: 192.168.1.50 Accessed URL 69.63.178.129:/x/2682102391/false/p_723103014=15
%ASA-5-304001: 192.168.1.215 Accessed URL 69.63.187.17:/ajax/presence/reconnect.php?reason=1&iframe_loaded=true&post_form_id=64034a00a11a87e6c77c6c1c66a71bea&__a=1
%ASA-5-303004: FTP GET /x/893 command unsupported – failed strict inspection, terminating connection from inside:192.168.1.215/2599 to outside:69.63.178.129/80
%ASA-4-507003: tcp flow from inside:192.168.1.215/2599 to outside:69.63.178.129/80 terminated by inspection engine, reason – inspector drop reset.

So far I cant explain why. If someone knows, please tell me!

]]>