cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1469
Views
10
Helpful
1
Replies

Cloud Web Security via ISR Connector - whitelisting internal websites

Doug Charboneau
Level 1
Level 1

I am attempting to impliment Cisco's websecurity and the rep helping is of little help. I am fine in getting the web security setup. Websites that match security rules get blocked and so on. Script run to impliment is below.

 

scansafe general-options
server primary fqdn proxyXXXXXXXXXXXXX
server backup fqdn proxyXXXXXXXXXXXXX

retry-count 5
license XXXXXXXXXXXXXXXXXXXXXXXXXXXXX


policy-map type inspect scansafe http-pmap
parameters
http

policy-map type inspect scansafe https-pmap
parameters
https


access-list web extended permit tcp any any eq www

access-list https extended permit tcp any any eq https

class-map cmap-http
match access-list web

class-map cmap-https
match access-list https

policy-map pmap-webtraffic
class cmap-http
inspect scansafe http-pmap fail-close
class cmap-https
inspect scansafe https-pmap fail-close

service-policy pmap-webtraffic interface inside

                   

 

So the problem comes when I try to bypass the scansafe for our internal websites. The script below provided by Cisco does not work. Any assistance with where I am going wrong would be appreciated.

 

object network internalsite
fqdn mysite.mydomain.com

 

object network internalsite1
fqdn mysite1.mydomain.com

 

object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1

 

no access-list web line 1 extended deny tcp any4 object-group Website_whitelist eq www
no access-list https line 1 extended deny tcp any4 object-group Website_whitelist eq https

1 Accepted Solution

Accepted Solutions

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
 match access-list http_traffic_whitelist
 match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
  parameters
   http
  class whitelist1
   whitelist

 policy-map type inspect scansafe https-pmap
  parameters
  https
 class whitelist1
  whitelist

View solution in original post

1 Reply 1

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
 match access-list http_traffic_whitelist
 match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
  parameters
   http
  class whitelist1
   whitelist

 policy-map type inspect scansafe https-pmap
  parameters
  https
 class whitelist1
  whitelist

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: