Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Deploying ASA with CX module as a Cisco Cloud Web Security (CWS) Connector
This document describes how to use Cisco Adaptice Security Appliance (ASA) with Context Aware (CX) module, also termed as Next Generation firewall, and Cisco Cloud Web Security (CWS) Connector.
Components Used / Scope
This example shows the following areas of technology and products:
Cisco ASA 5500-X Series Adaptive Security Appliances provides internet edge firewall security and intrusion prevention.
Cisco Cloud Web Security provides granular control over all web content that is accessed.
ASA CX module has the capability to support both Content Security and Intrution Prevention requirement depending on the license features enabled on ASA-CX. Cloud Web Security is not supported with the ASA CX module. If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic flow, the ASA only performs the ASA CX action. In order to leverage the CWS features for Web Security, we need to ensure the traffic is bypassed in the match statement for ASA CX. Typically, in such a scenario, customers will use CWS for Web Security and AVC (port 80 and 443) and CX module for all other ports.
3DES/AES License on ASA (Free license)
Valid CWS service / License to use CWS for the required number of users
Access to ScanCenter Portal to generate the Authentication Key
The match default-inspection-traffic command does not include the default ports for the Cloud Web Security inspection (80 and 443).
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions. When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.
For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a policy on another interface; only the first policy is used.
Interface service policies take precedence over the global service policy for a given feature.
The maximum number of policy maps is 64, but you can only apply one policy map per interface.
Traffic Flow for ASA & CWS
User requests URL via the web browser
Traffic is sent to ASA to go out the internet. ASA performs required NAT and based on the protocol HTTP/HTTPS, matches to inside interface policy and gets redirected to Cisco CWS.
CWS analyzes the request based on the configuration done in the ScanCenter portal and if policy permits, forwards the request to to approved sites
CWS inspects the returned traffic and redirects the same to ASA
Based on the session flow maintained, ASA sends traffic back to all users
Traffic Flow for ASA & CX
All traffic other than HTTP and HTTPS, is configured to match ASA CX for inspection and is redirected to CX over the ASA backplane
ASA CX inspects traffic based on the policies configured and takes required allow/block/alert action
Access list to match all internet bound web (tcp/80) traffic and exclude all internal traffic
!ASA CWS HTTP Match
access-list cws-www extended deny ip any4 10.0.0.0 255.0.0.0
access-list cws-www extended deny ip any4 172.16.0.0 255.240.0.0
access-list cws-www extended deny ip any4 192.168.0.0 255.255.0.0
access-list cws-www extended permit tcp any4 any4 eq www
Access list to match all internet bound https (tcp/443) traffic and exclude all internal traffic
!ASA CWS HTTPS Match
access-list cws-https extended deny ip any4 10.0.0.0 255.0.0.0
access-list cws-https extended deny ip any4 172.16.0.0 255.240.0.0
access-list cws-https extended deny ip any4 192.168.0.0 255.255.0.0
access-list cws-https extended permit tcp any4 any4 eq https
Access list to match all internal traffic, exclude all internet bound Web & HTTPS traffic and all other ports
Class Map configuration to match traffic for both CWS and CX
! Match HTTPS traffic for CWS
match access-list cws-https
! Match HTTP traffic for CWS
match access-list cws-www
! Match traffic for ASA CX
match access-list asa-cx
Policy Map configuration to associate actions with class maps created above
!Inspection policy map to configure essential parameters for the rules and optionally !identify the whitelist for HTTP traffic
policy-map type inspect scansafe http-pmap
default group cws_default
!Inspection policy map to configure essential parameters for the rules and optionally !identify the whitelist for HTTPS traffic
policy-map type inspect scansafe https-pmap
default group cws_default
! Interface policy local to Inside Interface
inspect scansafe http-pmap fail-open
inspect scansafe https-pmap fail-open
! Global Policy with Inspection enabled using ASA CX
Activate policy globally for CX and CWS on the interface.
service-policy global_policy global
service-policy cws_policy inside
[Note: In this example, we have assumed web traffic to originate only from inside security zone. We can use interface policies on all interfaces where we expect web traffic or use the same classes within the global policy. This is just to demonstrate the functioning of CWS and use of MPF to support our requirement]
Enable CWS on ASA (no difference)
server primary ip x1.x1.x1.x1 port 8080
server backup ip x2.x2.x2.x2 port 8080
license xxxxxxxxxxxx/ encrypted
To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. See the clear conn or clear local-host commands.
Use the command "show scansafe statistics" to verify the service to be enabled and ASA redirecting traffic. Subsequent tries will show increment in session counts, current sessions and bytes transfered
csaxena-cws-asa# sho scansafe statistics
Current HTTP sessions : 0
Current HTTPS sessions : 0
Total HTTP Sessions : 1091
Total HTTPS Sessions : 5893
Total Fail HTTP sessions : 0
Total Fail HTTPS sessions : 0
Total Bytes In : 473598 Bytes
Total Bytes Out : 1995470 Bytes
HTTP session Connect Latency in ms(min/max/avg) : 10/23/11
HTTPS session Connect Latency in ms(min/max/avg) : 10/190/11
Use the command "show service-policy" to see the increments in packets inspected