asa scansafe step by step conf
DESCRIPTION
ASATRANSCRIPT
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
1
ASA: ScanSafe step by step configuration
• Documentation on page 1• Prerequisite on page 1• Limitations on page 1• Topology on page 2• How ScanSafe works on page 2
Step by Step Configuration on page 3• 1. Configure scansafe config on page 3• 2. Create two access-lists to match http and https traffic on page 3• 3. Create two class-maps to match both traffic on page 3• 4. Optional Whitelist on page 3• 5. Create two L-7 policy maps for http and https and call the optional whitelist on
page 4• 6. Create new policy-map and configure scansafe inspection on page 4• 7. Apply the policy to the interface on page 5
• Final Configuration Section: on page 5• Show commands and debugs: on page 6
DocumentationThis configuration example is meant to be interpreted with the aid of the officialdocumentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html
PrerequisiteThe ASA must be running minimum 9.0 code or above to be able to configure ScanSafefeature.
Limitations1. IPV6 is not supported
ASA: ScanSafe step by step configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
2
2. Transparent mode is not supported
3. ASA clustering is not supported
4. Clientless SSL VPN is not supported
5. Cloud Web Security is not supported with the ASA CX module
6.The match default-inspection-traffic command does not include the default ports for theCloud Web Security inspection (80 and 443).
Topology
How ScanSafe works1. Client PC tries to go to linkedin.com
2. This request is received by the ASA and it optionally retrieves the user and/or groupinformation
3. ASA redirects the request to the Scan Safe Towers.
4. ASA acts as a proxy, changes the destination IP address and port in the client requestsand adds tower specific HTTP headers and then sends the modified request to the Towers.
ASA: ScanSafe step by step configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
3
5. Based on the policies configured on the Tower, the reqeust is allowed or a blocked pageis sent to the client PC.
Step by Step Configuration
1. Configure scansafe config
scansafe general-options
server primary fqdn proxy193.scansafe.net port 8080
server backup fqdn proxy1363.scansafe.net port 8080
retry-count 5
license <license key>
2. Create two access-lists to match http and https traffic
access-list http-traffic extended permit tcp any any eq www
access-list https-traffic extended permit tcp any any eq https
3. Create two class-maps to match both traffic
class-map http-class
match access-list http_traffic
class-map https-class
match access-list https_traffic
4. Optional Whitelist
class-map type inspect scansafe match-any whitelist1
ASA: ScanSafe step by step configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
4
match user user1 group cisco
match user user2
match group group1
match user user3 group group3
5. Create two L-7 policy maps for http and https and call the optional
whitelist
policy-map type inspect scansafe http-pmap
parameters
default group httptraffic
http
class whitelist1
whitelist
policy-map type inspect scansafe https-pmap
parameters
default group httpstraffic
https
class whitelist1
whitelist
6. Create new policy-map and configure scansafe inspection
policy-map inside-policy
class http-class
ASA: ScanSafe step by step configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
5
inspect scansafe http-pmap fail-close
class https-class
inspect scansafe https-pmap fail-close
7. Apply the policy to the interface
service-policy inside-policy interface inside
Final Configuration Section:scansafe general-options
server primary fqdn proxy193.scansafe.net port 8080
server backup fqdn proxy1363.scansafe.net port 8080
retry-count 5
license <license key>
!
access-list http-traffic extended permit tcp any any eq www
access-list https-traffic extended permit tcp any any eq https
!
class-map http-class
match access-list http_traffic
class-map https-class
match access-list https_traffic
!
policy-map type inspect scansafe http-pmap
ASA: ScanSafe step by step configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
6
parameters
default group httptraffic
http
class whitelist1
whitelist
policy-map type inspect scansafe https-pmap
parameters
default group httpstraffic
https
class whitelist1
whitelist
!
policy-map inside-policy
class http-class
inspect scansafe http-pmap fail-close
class https-class
inspect scansafe https-pmap fail-close
!
service-policy inside-policy interface inside
Show commands and debugs:1. show scansafe server
ASA: ScanSafe step by step configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is andis not warrantied by Cisco.
7
ASA# sh scansafe server
Primary: 70.39.176.3 (REACHABLE)*
Backup: 70.39.231.99
2. debug scansafe 255