×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Traffic to send to CX

Answered Question
Mar 4th, 2014
User Badges:

Hey Guys, hopefully a quick question. I'm in the process of setting up my first CX module and as of right now, I have all traffic being redirected to the module, form the ASA. Is this a good practice? I've seen other examples where the admin only redirects http and https from the ASA; but I think this will be a problem if users go to a site that uses a non-standard http port, right? Also, if I only send web traffic to CX, I won't be able to see any other application traffic so I'm not sure why other admins are pushing this as a good way to configure CX. What do you guys do in your environments?

Correct Answer by Marvin Rhoads about 3 years 5 months ago

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.


One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marvin Rhoads Wed, 03/05/2014 - 06:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.


One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

Matthew2k4_2 Wed, 03/05/2014 - 11:49
User Badges:

Yes, I think I'll create an ACL to limit the amount of outbound ports to some well known web traffic ports, then apply my CX policy on top of this.


Thanks for confirmnig

Actions

This Discussion