Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
2
Replies

Traffic to send to CX

Go to solution
Matthew2k4_2
Level 1
Level 1

‎03-04-2014 10:52 PM - edited ‎03-11-2019 08:53 PM

Hey Guys, hopefully a quick question. I'm in the process of setting up my first CX module and as of right now, I have all traffic being redirected to the module, form the ASA. Is this a good practice? I've seen other examples where the admin only redirects http and https from the ASA; but I think this will be a problem if users go to a site that uses a non-standard http port, right? Also, if I only send web traffic to CX, I won't be able to see any other application traffic so I'm not sure why other admins are pushing this as a good way to configure CX. What do you guys do in your environments?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-05-2014 06:04 AM

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.

One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-05-2014 06:04 AM

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.

One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

0 Helpful

Go to solution
Matthew2k4_2
Level 1
Level 1
In response to Marvin Rhoads

‎03-05-2014 11:49 AM

Yes, I think I'll create an ACL to limit the amount of outbound ports to some well known web traffic ports, then apply my CX policy on top of this.

Thanks for confirmnig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card