Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Traffic to send to CX

Hey Guys, hopefully a quick question. I'm in the process of setting up my first CX module and as of right now, I have all traffic being redirected to the module, form the ASA. Is this a good practice? I've seen other examples where the admin only redirects http and https from the ASA; but I think this will be a problem if users go to a site that uses a non-standard http port, right? Also, if I only send web traffic to CX, I won't be able to see any other application traffic so I'm not sure why other admins are pushing this as a good way to configure CX. What do you guys do in your environments?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Traffic to send to CX

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.

One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

2 REPLIES
Hall of Fame Super Silver

Traffic to send to CX

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.

One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

Community Member

Traffic to send to CX

Yes, I think I'll create an ACL to limit the amount of outbound ports to some well known web traffic ports, then apply my CX policy on top of this.

Thanks for confirmnig

86
Views
0
Helpful
2
Replies
CreatePlease to create content