Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cloud Web Security via ISR Connector - whitelisting internal websites

I am attempting to impliment Cisco's websecurity and the rep helping is of little help. I am fine in getting the web security setup. Websites that match security rules get blocked and so on. Script run to impliment is below.

 

scansafe general-options
server primary fqdn proxyXXXXXXXXXXXXX
server backup fqdn proxyXXXXXXXXXXXXX

retry-count 5
license XXXXXXXXXXXXXXXXXXXXXXXXXXXXX


policy-map type inspect scansafe http-pmap
parameters
http

policy-map type inspect scansafe https-pmap
parameters
https


access-list web extended permit tcp any any eq www

access-list https extended permit tcp any any eq https

class-map cmap-http
match access-list web

class-map cmap-https
match access-list https

policy-map pmap-webtraffic
class cmap-http
inspect scansafe http-pmap fail-close
class cmap-https
inspect scansafe https-pmap fail-close

service-policy pmap-webtraffic interface inside

                   

 

So the problem comes when I try to bypass the scansafe for our internal websites. The script below provided by Cisco does not work. Any assistance with where I am going wrong would be appreciated.

 

object network internalsite
fqdn mysite.mydomain.com

 

object network internalsite1
fqdn mysite1.mydomain.com

 

object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1

 

no access-list web line 1 extended deny tcp any4 object-group Website_whitelist eq www
no access-list https line 1 extended deny tcp any4 object-group Website_whitelist eq https

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi,Did you try to create a

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
 match access-list http_traffic_whitelist
 match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
  parameters
   http
  class whitelist1
   whitelist

 policy-map type inspect scansafe https-pmap
  parameters
  https
 class whitelist1
  whitelist

1 REPLY

Hi,Did you try to create a

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
 match access-list http_traffic_whitelist
 match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
  parameters
   http
  class whitelist1
   whitelist

 policy-map type inspect scansafe https-pmap
  parameters
  https
 class whitelist1
  whitelist

479
Views
10
Helpful
1
Replies
CreatePlease login to create content