I had the opportunity to do a proof-of-concept (POC) for Cisco Cloud Web Security (CWS), formerly known as Scansafe; and SourceFire, which is Cisco's Next-Generation Intrusion Prevention System (NGIPS).
I did CWS first, which is their web filtering using Cisco's Software-as-a-Service (SaaS) cloud solution. This allows companies with existing ASA firewalls and ISR G2 routers (called CWS connectors) to redirect web traffic (HTTP and HTTPS) to Cisco's security cloud solution. I was given an 1.5 months eval license.
The CWS is a huge topic in SITCS (300-207) exam and I'm glad I was able to setup one. It also pushed me to take SITCS and complete my CCNP Security certification.
ciscoasa# show run dns // ENSURE ASA CAN DNS QUERY SCANSAFE PROXY SERVERS
dns domain-lookup outside
dns domain-lookup inside
DNS server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name sg.net
ciscoasa# ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.196.174, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa(config)# scansafe ?
configure mode commands/options:
general-options To configure the Scansafe server and licence related details
ciscoasa(config)# scansafe general-options
ciscoasa(cfg-scansafe)# ?
Scansafe general-options configuration commands:
license Specify the scansafe server license provided to you.
no Negate a command or set its defaults
publickey Specify the location of the scansafe public key file
retry-count Specify the number of consecutive attempts to be made before
declaring the server dead
server Specify the scansafe server address and port
ciscoasa(cfg-scansafe)# server ?
scansafe mode commands/options:
backup Specify the address of the backup/secondary scansafe server
primary Specify the address of the primary scansafe server
ciscoasa(cfg-scansafe)# server primary ?
scansafe mode commands/options:
fqdn Specify fully qualified domain name
ip Specify IP address
ciscoasa(cfg-scansafe)# server primary fqdn ?
scansafe mode commands/options:
WORD < 65 char fully-qualified domain name
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net ?
scansafe mode commands/options:
port Specify the server port to which web traffic must be redirected to.
<cr>
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net port ?
scansafe mode commands/options:
<0-65535> Port number for web traffic
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net port 8080 // USE FQDN SINCE THE NEAREST/LOCAL POP PROXY SERVER (SCANSAFE TOWER) WILL BE USED; PROXY SERVER IP MIGHT ALSO CHANGE
ciscoasa(cfg-scansafe)# server backup fqdn access615.cws.sco.cisco.com ?
scansafe mode commands/options:
port Specify the server port to which web traffic must be redirected to.
<cr>
ciscoasa(cfg-scansafe)# server backup fqdn access615.cws.sco.cisco.com port 8080
ciscoasa(cfg-scansafe)# retry-count ?
scansafe mode commands/options:
<2-100> Number of attempts to be made
ciscoasa(cfg-scansafe)# retry-count 5
ciscoasa(cfg-scansafe)# license ?
scansafe mode commands/options:
WORD < 65 char 16 byte scansafe license provided to you
ciscoasa(cfg-scansafe)# license B1310A75BE380A5767F21194930C7XYZ // GENERATED FROM ADMIN > AUTHENTICATION > COMPANY KEY > GENERATE
ciscoasa(cfg-scansafe)# exit
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list HTTP ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list HTTP extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list HTTP extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list HTTP extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user Keyword to specify user object-group for source
security-group Keyword to specify inline security-group
user Keyword to specify user for source
user-group Keyword to specify user-group for source
ciscoasa(config)# access-list HTTP extended permit tcp any ?
configure mode commands/options:
A.B.C.D Destination IP address
X:X:X:X::X/<0-128> Destination IPv6 address/prefix
any Abbreviation for destination address/mask of
0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4 Abbreviation for destination address and mask of
0.0.0.0 0.0.0.0
any6 Abbreviation for destination prefix ::/0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or
network object-group for destination address
object-group-security Keyword to specify security object-group for
destination
range Port range operator
security-group Keyword to specify inline security-group
ciscoasa(config)# access-list HTTP extended permit tcp any any ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list HTTP extended permit tcp any any eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
ciscoasa(config)# access-list HTTP extended permit tcp any any eq www
ciscoasa(config)# access-list HTTPS extended permit tcp any any eq https
ciscoasa(config)# class-map ?
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config)# class-map CMAP-HTTP
ciscoasa(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit Exit from MPF class-map configuration mode
help Help for MPF class-map configuration commands
match Configure classification criteria
no Negate or set default values of a command
rename Rename this class-map
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
ciscoasa(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
ciscoasa(config-cmap)# match access-list HTTP
ciscoasa(config-cmap)# exit
ciscoasa(config)# class-map CMAP-HTTPS
ciscoasa(config-cmap)# match access-list HTTPS
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
WORD < 41 char policy-map name
type Specifies the type of policy-map
ciscoasa(config)# policy-map type ?
configure mode commands/options:
inspect Configure a policy-map of type inspect
ciscoasa(config)# policy-map type inspect ?
configure mode commands/options:
dcerpc Configure a policy-map of type DCERPC
dns Configure a policy-map of type DNS
esmtp Configure a policy-map of type ESMTP
ftp Configure a policy-map of type FTP
gtp Configure a policy-map of type GTP
h323 Configure a policy-map of type H.323
http Configure a policy-map of type HTTP
im Configure a policy-map of type IM
ip-options Configure a policy-map of type IP-OPTIONS
ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU
ipv6 Configure a policy-map of type IPv6
mgcp Configure a policy-map of type MGCP
netbios Configure a policy-map of type NETBIOS
radius-accounting Configure a policy-map of type Radius Accounting
rtsp Configure a policy-map of type RTSP
scansafe Configure a policy-map of type SCANSAFE
sip Configure a policy-map of type SIP
skinny Configure a policy-map of type Skinny
ciscoasa(config)# policy-map type inspect scansafe ?
configure mode commands/options:
WORD < 41 char policy-map name
ciscoasa(config)# policy-map type inspect scansafe HTTP-PMAP
ciscoasa(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
parameters Specify this keyword to enter policy parameters.
rename Rename this policy-map
<cr>
ciscoasa(config-pmap)# parameters ?
mpf-policy-map mode commands/options:
<cr>
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# ?
MPF policy-map parameter configuration commands:
class Policy criteria
default Specify the default user and group name
exit Exit from MPF policy-map parameter configuration submode
help Help for MPF policy-map parameter submode commands
http Specify that the web traffic needs to be redirected to Scansafe
server
https Specify that the ssl traffic needs to be redirected to Scansafe
server
match Specify policy criteria via inline match
no Negate or set default values of a command
quit Exit from MPF policy-map parameter configuration submode
<cr>
ciscoasa(config-pmap-p)# http
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# policy-map type inspect scansafe HTTP-PMAPS
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# https
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
WORD < 41 char policy-map name
type Specifies the type of policy-map
ciscoasa(config)# policy-map PMAP-WEBTRAFFIC
ciscoasa(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
rename Rename this policy-map
<cr>
ciscoasa(config-pmap)# class ?
mpf-policy-map mode commands/options:
WORD class-map name
class-default System default class matching otherwise unclassified packets
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config-pmap)# class CMAP-HTTP
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
cxsc Send traffic to CXSC blade
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
scansafe
sip
skinny
snmp
sqlnet
sunrpc
tftp
waas
xdmcp
ciscoasa(config-pmap-c)# inspect scansafe ?
mpf-policy-map-class mode commands/options:
WORD < 41 char scansafe type policy-map name
ciscoasa(config-pmap-c)# inspect scansafe HTTP-PMAP ?
mpf-policy-map-class mode commands/options:
fail-close If scansafe servers are not reachable then close the connection.
fail-open If scansafe servers are not reachable then open the connection
directly.
<cr>
ciscoasa(config-pmap-c)# inspect scansafe HTTP-PMAP fail-open
ciscoasa(config-pmap-c)# inspect scansafe HTTPS-PMAP fail-open
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy ?
configure mode commands/options:
Available policy-maps:
global_policy
PMAP-WEBTRAFFIC
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC ?
configure mode commands/options:
global Enter this keyword to specify a global policy
interface Enter this keyword to specify an interface policy
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0/2
management Name of interface Management0/0
outside Name of interface GigabitEthernet0/0
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC interface inside
Here are some useful ASA CLI show commands:
ciscoasa# show run scansafe // TO VERIFY SCANSAFE (CWS) CONFIG
!
scansafe general-options
server primary fqdn proxy2332.scansafe.net port 8080
server backup fqdn access615.cws.sco.cisco.com port 8080
retry-count 5
license UqSGYa8xyWWqJ5x1 encrypted
ciscoasa# show scansafe ?
server Show scansafe server status
statistics Show scansafe server statistics
ciscoasa# show scansafe server
Primary: proxy2332.scansafe.net (202.79.203.106) (REACHABLE)* // EQUINIX ASIA IP ADDRESS
Backup: access615.cws.sco.cisco.com (108.171.133.142) // CISCO USA IP ADDRESS
ciscoasa# show scansafe statistics
Current HTTP sessions : 3
Current HTTPS sessions : 11
Total HTTP Sessions : 460
Total HTTPS Sessions : 373
Total Fail HTTP sessions : 0
Total Fail HTTPS sessions : 0
Total Bytes In : 17331806 Bytes
Total Bytes Out : 2506536 Bytes
HTTP session Connect Latency in ms(min/max/avg) : 4/272/20
HTTPS session Connect Latency in ms(min/max/avg) : 3/272/3
ciscoasa# show conn scansafe
45 in use, 397 most used
TCP outside 209.68.0.123(202.79.203.789):80 inside 10.100.2.47:29861, idle 0:00:01, bytes 3109, flags UFxIO Z
TCP outside 209.68.0.123(202.79.203.789):80 inside 10.100.2.47:27512, idle 0:09:47, bytes 5835, flags UFxIO Z
TCP outside 209.68.0.123(202.79.203.789):80 inside 10.100.2.47:26616, idle 0:21:20, bytes 3592, flags UFxIO Z
TCP outside 216.58.196.456(202.79.203.789):443 inside 10.100.2.47:26647, idle 0:18:09, bytes 4822, flags UFxIO Z
TCP outside 216.58.196.456174(202.79.203.789):443 inside 10.100.2.47:26644, idle 0:18:06, bytes 3673, flags UFxIO Z
TCP outside 216.58.196.456(202.79.203.789):443 inside 10.100.2.47:26642, idle 0:18:08, bytes 3471, flags UFxIO Z
TCP outside 50.31.164.456(202.79.203.789):443 inside 10.100.2.47:27554, idle 0:09:39, bytes 2529, flags UFxIO Z
<OUTPUT TRUNCATED>
This is the CWS portal web page. Upon initial login, it will ask you to change to a "complex" password of at least 8 characters length, alphanumeric, upper and lower case and using a special symbol or character. Upon successful login, you'll be re-directed to the CWS dashboard.
This is where the Scansafe "license" key will be generated and to be configured on the CWS connector: Go to Admin > Authentication > Company Key > click Generate. Just copy and paste into notepad or you could also email a copy of the license key.
Before creating the URL policy, you'll create a filter first (MY_FILTER). For domain blocking, I've blocked Cisco, CNN and Facebook websites. This is similar on what we do on OpenDNS console except that we could use any DNS servers on the inside clients. Then create the web filtering policy (MY_POLICY) and apply the filter created earlier. There's also an option to choose a schedule to apply your policy.
An "Access Denied" page will be displayed if the domain name matches the URL filter policy.
As a troubleshooting step on the client PC, we could open a web browser and type whoami.scansafe.net on the address bar to know if the CWS policies are being applied.
Aside from domain or URL filter, we could go granular by blocking web contents such as pictures and videos that are displayed on a website, block Windows update and stopped Internet Explorer web browser from being used on client machines.
There are also cool custom reports that can be generated on CWS and exported to either a PDF or CSV file.
I did CWS first, which is their web filtering using Cisco's Software-as-a-Service (SaaS) cloud solution. This allows companies with existing ASA firewalls and ISR G2 routers (called CWS connectors) to redirect web traffic (HTTP and HTTPS) to Cisco's security cloud solution. I was given an 1.5 months eval license.
The CWS is a huge topic in SITCS (300-207) exam and I'm glad I was able to setup one. It also pushed me to take SITCS and complete my CCNP Security certification.
ciscoasa# show run dns // ENSURE ASA CAN DNS QUERY SCANSAFE PROXY SERVERS
dns domain-lookup outside
dns domain-lookup inside
DNS server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name sg.net
ciscoasa# ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.196.174, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa(config)# scansafe ?
configure mode commands/options:
general-options To configure the Scansafe server and licence related details
ciscoasa(config)# scansafe general-options
ciscoasa(cfg-scansafe)# ?
Scansafe general-options configuration commands:
license Specify the scansafe server license provided to you.
no Negate a command or set its defaults
publickey Specify the location of the scansafe public key file
retry-count Specify the number of consecutive attempts to be made before
declaring the server dead
server Specify the scansafe server address and port
ciscoasa(cfg-scansafe)# server ?
scansafe mode commands/options:
backup Specify the address of the backup/secondary scansafe server
primary Specify the address of the primary scansafe server
ciscoasa(cfg-scansafe)# server primary ?
scansafe mode commands/options:
fqdn Specify fully qualified domain name
ip Specify IP address
ciscoasa(cfg-scansafe)# server primary fqdn ?
scansafe mode commands/options:
WORD < 65 char fully-qualified domain name
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net ?
scansafe mode commands/options:
port Specify the server port to which web traffic must be redirected to.
<cr>
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net port ?
scansafe mode commands/options:
<0-65535> Port number for web traffic
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net port 8080 // USE FQDN SINCE THE NEAREST/LOCAL POP PROXY SERVER (SCANSAFE TOWER) WILL BE USED; PROXY SERVER IP MIGHT ALSO CHANGE
ciscoasa(cfg-scansafe)# server backup fqdn access615.cws.sco.cisco.com ?
scansafe mode commands/options:
port Specify the server port to which web traffic must be redirected to.
<cr>
ciscoasa(cfg-scansafe)# server backup fqdn access615.cws.sco.cisco.com port 8080
ciscoasa(cfg-scansafe)# retry-count ?
scansafe mode commands/options:
<2-100> Number of attempts to be made
ciscoasa(cfg-scansafe)# retry-count 5
ciscoasa(cfg-scansafe)# license ?
scansafe mode commands/options:
WORD < 65 char 16 byte scansafe license provided to you
ciscoasa(cfg-scansafe)# license B1310A75BE380A5767F21194930C7XYZ // GENERATED FROM ADMIN > AUTHENTICATION > COMPANY KEY > GENERATE
ciscoasa(cfg-scansafe)# exit
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list HTTP ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list HTTP extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list HTTP extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list HTTP extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user Keyword to specify user object-group for source
security-group Keyword to specify inline security-group
user Keyword to specify user for source
user-group Keyword to specify user-group for source
ciscoasa(config)# access-list HTTP extended permit tcp any ?
configure mode commands/options:
A.B.C.D Destination IP address
X:X:X:X::X/<0-128> Destination IPv6 address/prefix
any Abbreviation for destination address/mask of
0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4 Abbreviation for destination address and mask of
0.0.0.0 0.0.0.0
any6 Abbreviation for destination prefix ::/0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or
network object-group for destination address
object-group-security Keyword to specify security object-group for
destination
range Port range operator
security-group Keyword to specify inline security-group
ciscoasa(config)# access-list HTTP extended permit tcp any any ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list HTTP extended permit tcp any any eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
ciscoasa(config)# access-list HTTP extended permit tcp any any eq www
ciscoasa(config)# access-list HTTPS extended permit tcp any any eq https
ciscoasa(config)# class-map ?
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config)# class-map CMAP-HTTP
ciscoasa(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit Exit from MPF class-map configuration mode
help Help for MPF class-map configuration commands
match Configure classification criteria
no Negate or set default values of a command
rename Rename this class-map
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
ciscoasa(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
ciscoasa(config-cmap)# match access-list HTTP
ciscoasa(config-cmap)# exit
ciscoasa(config)# class-map CMAP-HTTPS
ciscoasa(config-cmap)# match access-list HTTPS
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
WORD < 41 char policy-map name
type Specifies the type of policy-map
ciscoasa(config)# policy-map type ?
configure mode commands/options:
inspect Configure a policy-map of type inspect
ciscoasa(config)# policy-map type inspect ?
configure mode commands/options:
dcerpc Configure a policy-map of type DCERPC
dns Configure a policy-map of type DNS
esmtp Configure a policy-map of type ESMTP
ftp Configure a policy-map of type FTP
gtp Configure a policy-map of type GTP
h323 Configure a policy-map of type H.323
http Configure a policy-map of type HTTP
im Configure a policy-map of type IM
ip-options Configure a policy-map of type IP-OPTIONS
ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU
ipv6 Configure a policy-map of type IPv6
mgcp Configure a policy-map of type MGCP
netbios Configure a policy-map of type NETBIOS
radius-accounting Configure a policy-map of type Radius Accounting
rtsp Configure a policy-map of type RTSP
scansafe Configure a policy-map of type SCANSAFE
sip Configure a policy-map of type SIP
skinny Configure a policy-map of type Skinny
ciscoasa(config)# policy-map type inspect scansafe ?
configure mode commands/options:
WORD < 41 char policy-map name
ciscoasa(config)# policy-map type inspect scansafe HTTP-PMAP
ciscoasa(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
parameters Specify this keyword to enter policy parameters.
rename Rename this policy-map
<cr>
ciscoasa(config-pmap)# parameters ?
mpf-policy-map mode commands/options:
<cr>
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# ?
MPF policy-map parameter configuration commands:
class Policy criteria
default Specify the default user and group name
exit Exit from MPF policy-map parameter configuration submode
help Help for MPF policy-map parameter submode commands
http Specify that the web traffic needs to be redirected to Scansafe
server
https Specify that the ssl traffic needs to be redirected to Scansafe
server
match Specify policy criteria via inline match
no Negate or set default values of a command
quit Exit from MPF policy-map parameter configuration submode
<cr>
ciscoasa(config-pmap-p)# http
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# policy-map type inspect scansafe HTTP-PMAPS
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# https
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
WORD < 41 char policy-map name
type Specifies the type of policy-map
ciscoasa(config)# policy-map PMAP-WEBTRAFFIC
ciscoasa(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
rename Rename this policy-map
<cr>
ciscoasa(config-pmap)# class ?
mpf-policy-map mode commands/options:
WORD class-map name
class-default System default class matching otherwise unclassified packets
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config-pmap)# class CMAP-HTTP
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
cxsc Send traffic to CXSC blade
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
scansafe
sip
skinny
snmp
sqlnet
sunrpc
tftp
waas
xdmcp
ciscoasa(config-pmap-c)# inspect scansafe ?
mpf-policy-map-class mode commands/options:
WORD < 41 char scansafe type policy-map name
ciscoasa(config-pmap-c)# inspect scansafe HTTP-PMAP ?
mpf-policy-map-class mode commands/options:
fail-close If scansafe servers are not reachable then close the connection.
fail-open If scansafe servers are not reachable then open the connection
directly.
<cr>
ciscoasa(config-pmap-c)# inspect scansafe HTTP-PMAP fail-open
ciscoasa(config-pmap-c)# inspect scansafe HTTPS-PMAP fail-open
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy ?
configure mode commands/options:
Available policy-maps:
global_policy
PMAP-WEBTRAFFIC
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC ?
configure mode commands/options:
global Enter this keyword to specify a global policy
interface Enter this keyword to specify an interface policy
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0/2
management Name of interface Management0/0
outside Name of interface GigabitEthernet0/0
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC interface inside
Here are some useful ASA CLI show commands:
ciscoasa# show run scansafe // TO VERIFY SCANSAFE (CWS) CONFIG
!
scansafe general-options
server primary fqdn proxy2332.scansafe.net port 8080
server backup fqdn access615.cws.sco.cisco.com port 8080
retry-count 5
license UqSGYa8xyWWqJ5x1 encrypted
ciscoasa# show scansafe ?
server Show scansafe server status
statistics Show scansafe server statistics
ciscoasa# show scansafe server
Primary: proxy2332.scansafe.net (202.79.203.106) (REACHABLE)* // EQUINIX ASIA IP ADDRESS
Backup: access615.cws.sco.cisco.com (108.171.133.142) // CISCO USA IP ADDRESS
ciscoasa# show scansafe statistics
Current HTTP sessions : 3
Current HTTPS sessions : 11
Total HTTP Sessions : 460
Total HTTPS Sessions : 373
Total Fail HTTP sessions : 0
Total Fail HTTPS sessions : 0
Total Bytes In : 17331806 Bytes
Total Bytes Out : 2506536 Bytes
HTTP session Connect Latency in ms(min/max/avg) : 4/272/20
HTTPS session Connect Latency in ms(min/max/avg) : 3/272/3
ciscoasa# show conn scansafe
45 in use, 397 most used
TCP outside 209.68.0.123(202.79.203.789):80 inside 10.100.2.47:29861, idle 0:00:01, bytes 3109, flags UFxIO Z
TCP outside 209.68.0.123(202.79.203.789):80 inside 10.100.2.47:27512, idle 0:09:47, bytes 5835, flags UFxIO Z
TCP outside 209.68.0.123(202.79.203.789):80 inside 10.100.2.47:26616, idle 0:21:20, bytes 3592, flags UFxIO Z
TCP outside 216.58.196.456(202.79.203.789):443 inside 10.100.2.47:26647, idle 0:18:09, bytes 4822, flags UFxIO Z
TCP outside 216.58.196.456174(202.79.203.789):443 inside 10.100.2.47:26644, idle 0:18:06, bytes 3673, flags UFxIO Z
TCP outside 216.58.196.456(202.79.203.789):443 inside 10.100.2.47:26642, idle 0:18:08, bytes 3471, flags UFxIO Z
TCP outside 50.31.164.456(202.79.203.789):443 inside 10.100.2.47:27554, idle 0:09:39, bytes 2529, flags UFxIO Z
<OUTPUT TRUNCATED>
This is the CWS portal web page. Upon initial login, it will ask you to change to a "complex" password of at least 8 characters length, alphanumeric, upper and lower case and using a special symbol or character. Upon successful login, you'll be re-directed to the CWS dashboard.
This is where the Scansafe "license" key will be generated and to be configured on the CWS connector: Go to Admin > Authentication > Company Key > click Generate. Just copy and paste into notepad or you could also email a copy of the license key.
Before creating the URL policy, you'll create a filter first (MY_FILTER). For domain blocking, I've blocked Cisco, CNN and Facebook websites. This is similar on what we do on OpenDNS console except that we could use any DNS servers on the inside clients. Then create the web filtering policy (MY_POLICY) and apply the filter created earlier. There's also an option to choose a schedule to apply your policy.
An "Access Denied" page will be displayed if the domain name matches the URL filter policy.
Below is an example of a client where CWS policy was applied on the client. There's a caveat or "gotcha" for HTTPS traffic and that is to create certificates. There are two approach to generate CWS certificate: one is a self-signed certificate and manually deploy it to clients; the other approach is to generate a Certificate Signing Request (CSR) to get and upload an Secure Sockets Layer (SSL) certificate from a third party Certificate Authority (CA) like Verisign or GoDaddy.
Nice Blog! This blog is explains about the Cisco Cloud Web Security (CWS) Using an ASA Connector. Thank you for sharing.
ReplyDelete