Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

FAQ: Integrating Cisco Cloud Web Security with ASA

[toc:faq]

Introduction

During the live webcast delivered by Maite Cadenas, June 24, 2014, she explained how to integrate Cisco Cloud Web Security (CWS) with Cisco Adaptive Security Appliance (ASA).  Maite also took the audience through how Cisco ASA works with Cisco CWS and the necessary steps required and things to take into considerations in order to deploy Cisco CWS with Cisco ASA.

General Questions

Q: We have few applications working on port 8443, 8080 and 8081 ports - so for them, its not possible to redirect to cloud?

A: There is a list of a few standard ports that are supported, except from 80 and 443. Is 8443 and 8080 are supported. We actually use 8080 to redirect all our traffic to the cloud proxies. traffic originally requested over 8081 would also be supported. 

Q: Will this presentation available on demand?

A:Yes, you can download the slides here:

Slides: https://supportforums.cisco.com/document/12239736/integrating-cisco-cloud-web-security-asa-slides-live-webcast

Q: Is CDA free?

A: Yes CDA is free.

CDA installation Guide

CDA Download

CDA Release Note

CDA Configuration Guide

CDA Command Reference

ASA

Q: Can you tunnel a device on the inside of a network via another device?

A: Yes, you can tunnel the web traffic via another device, as long as the ASA is receiving the web traffic, it will be redirected to the cloud.

Q: So CWS is a kind of proxy installed on ASA box?

A: ASA is only redirecting web traffic to CWS, the proxy itself is on CWS

Q: What is the difference between implementing CCWS with ASA/ISR G2 or WSA?

A:

  1. https://supportforums.cisco.com/document/125616/asa-scansafe-step-step-configuration
  2.  https://supportforums.cisco.com/document/147696/ios-scansafe-step-step-configuration

There isn't really much difference as they all perform the same functionality. However, ISR and ASA are inline devices so transparent to the users as the traffic is already going through.WSA is an explicit proxy or transparent with WCCP

Also the way that auth is performed is different between the devices. See the posted links for full details.

  1. https://supportforums.cisco.com/document/12110031/cisco-cloud-web-security-cws-isr-g2-faq
  2. https://supportforums.cisco.com/document/12116936/configuring-and-troubleshooting-ip-admissions-and-ldap-isrs-web-redirection

Q: Are enhancement going on for Ipv6 support and ASA cluster - any date ?

A: ASA clustering supports IPV6 today. 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html     

IPv6 Guidelines Supports IPv6. However, the cluster control link is only supported using IPv4. There is currently no enhancement request to support ASA cluster with CWS. 

Q: Can CWS handle http and https traffic on non standard ports?

A: Yes, CWS supports only standard http and https ports. Other traffic isn't redirected to the cloud. Pls use below mentioned link:

https://supportforums.cisco.com/document/12110031/cisco-cloud-web-security-cws-isr-g2-faq#what-ports-are-tower-allowed-outgoing-ports-

Q: Its being said that the maximum amount of users with the ASA505 are 25. Is this a recommended deployment or CWS will know the model and automatically block user 26th?

A: This is recommended number of users. It will not block user 26th, you might see slight latency as you have higher number than the recommended number.

Q: How do I get to the ATE?

A: https://supportforums.cisco.com/discussion/12239731/ask-expert-integrating-cisco-cloud-web-security-adaptive-security-appliance 

Webcast Related Links

Version history
Revision #:
1 of 1
Last update:
‎06-26-2014 11:10 AM
Updated by:
 
Labels (1)