1-7
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the ASA for Cisco Cloud Web Security
Prerequisites for Cloud Web Security
Prerequisites for Cloud Web Security
(Optional) User Authentication Prerequisites
To send user identity information to Cloud Web Security, configure one of the following on the ASA:
• AAA rules (username only)—See Chapter 1, “Configuring AAA Rules for Network Access.”
• IDFW (username and group)—See Chapter 1, “Configuring the Identity Firewall.”
(Optional) Fully Qualified Domain Name Prerequisites
If you use FQDNs in ACLs for your service policy rule, or for the Cloud Web Security server, you must
configure a DNS server for the ASA according to the “Configuring the DNS Server” section on
page 1-12.
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context modes.
In multiple context mode, the server configuration is allowed only in the system, and the service policy
rule configuration is allowed only in the security contexts.
Each context can have its own authentication key, if desired.
Firewall Mode Guidelines
Supported in routed firewall mode only. Does not support transparent firewall mode.
IPv6 Guidelines
Does not support IPv6. See the “IPv4 and IPv6 Support” section on page 1-6.
Additional Guidelines
• Cloud Web Security is not supported with ASA clustering.
• Clientless SSL VPN is not supported with Cloud Web Security; be sure to exempt any clientless SSL
VPN traffic from the ASA service policy for Cloud Web Security.
• When an interface to the Cloud Web Security proxy servers goes down, output from the show
scansafe server command shows both servers up for approximately 15-25 minutes. This condition
may occur because the polling mechanism is based on the active connection, and because that
interface is down, it shows zero connection, and it takes the longest poll time approach.
• Cloud Web Security is not supported with the ASA CX module. If you configure both the ASA CX
action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX
action.
• Cloud Web Security inspection is compatibile with HTTP inspection for the same traffic. HTTP
inspection is enabled by default as part of the default global policy.
• Cloud Web Security is not supported with extended PAT or any application that can potentially use
the same source port and IP address for separate connections. For example, if two different
connections (targeted to separate servers) use extended PAT, the ASA might reuse the same source
IP and source port for both connection translations because they are differentiated by the separate
destinations. When the ASA redirects these connections to the Cloud Web Security server, it
To Next Page
Loading...
Need help?
General
