10-14-2013 05:42 PM - edited 03-08-2019 05:35 PM
I am attempting to impliment Cisco's websecurity and the rep helping is of little help. I am fine in getting the web security setup. Websites that match security rules get blocked and so on. Script run to impliment is below.
scansafe general-options
server primary fqdn proxyXXXXXXXXXXXXX
server backup fqdn proxyXXXXXXXXXXXXX
retry-count 5
license XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
policy-map type inspect scansafe http-pmap
parameters
http
policy-map type inspect scansafe https-pmap
parameters
https
access-list web extended permit tcp any any eq www
access-list https extended permit tcp any any eq https
class-map cmap-http
match access-list web
class-map cmap-https
match access-list https
policy-map pmap-webtraffic
class cmap-http
inspect scansafe http-pmap fail-close
class cmap-https
inspect scansafe https-pmap fail-close
service-policy pmap-webtraffic interface inside
So the problem comes when I try to bypass the scansafe for our internal websites. The script below provided by Cisco does not work. Any assistance with where I am going wrong would be appreciated.
object network internalsite
fqdn mysite.mydomain.com
object network internalsite1
fqdn mysite1.mydomain.com
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
no access-list web line 1 extended deny tcp any4 object-group Website_whitelist eq www
no access-list https line 1 extended deny tcp any4 object-group Website_whitelist eq https
Solved! Go to Solution.
05-09-2014 06:43 AM
Hi,
Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?
Here you go:
object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https
class-map type inspect scansafe match-any whitelist1
match access-list http_traffic_whitelist
match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
parameters
http
class whitelist1
whitelist
!
policy-map type inspect scansafe https-pmap
parameters
https
class whitelist1
whitelist
05-09-2014 06:43 AM
Hi,
Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?
Here you go:
object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https
class-map type inspect scansafe match-any whitelist1
match access-list http_traffic_whitelist
match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
parameters
http
class whitelist1
whitelist
!
policy-map type inspect scansafe https-pmap
parameters
https
class whitelist1
whitelist
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: