EasyManua.ls Logo

Cisco ASA 5515-X - Page 147

Cisco ASA 5515-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
8-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Configure Cisco Cloud Web Security
hostname(config-object-network)# fqdn tools.cisco.com
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object cisco1 eq 80
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object cisco2 eq 80
hostname(config)# access-list SCANSAFE_HTTP extended permit tcp any4 any4 eq 80
b. Create a traffic class for each ACL you defined.
hostname(config)# class-map class_name
hostname(config-cmap)# match access-list acl_name
Example
hostname(config)# class-map cws_class1
hostname(config-cmap)# match access-list SCANSAFE_HTTP
hostname(config)# class-map cws_class2
hostname(config-cmap)# match access-list SCANSAFE_HTTPS
Step 3 Create or edit the policy map to redirect the traffic to Cloud Web Security.
a. Add or edit a policy map that sets the actions to take with the class map traffic. In the default
configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit
the global_policy, enter global_policy as the policy name. You can only apply one policy to each
interface or globally.
policy-map name
Example:
hostname(config)# policy-map global_policy
b. Identify one of the traffic class maps you created for Cloud Web Security inspection.
class name
Example:
hostname(config-pmap)# class cws_class1
c. Configure ScanSafe inspection for the class.
inspect scansafe scansafe_policy_map [fail-open | fail-close]
Where:
scansafe_policy_map is the ScanSafe inspection policy map. Ensure that you match the
protocols in the class and policy maps (both HTTP or HTTPS).
Specify fail-open to allow traffic to pass through the ASA if the Cloud Web Security servers
are unavailable.
Specify fail-close to drop all traffic if the Cloud Web Security servers are unavailable. fail-close
is the default.
Example:
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap1 fail-open
Note If you are editing the default global policy (or any in-use policy) to use a different ScanSafe
inspection policy map, you must remove the ScanSafe inspection with the no inspect
scansafe command, and then re-add it with the new inspection policy map name.

Table of Contents

Other manuals for Cisco ASA 5515-X

Preview: Quick Start Guide
Quick Start Guide14 pages
Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Hardware Installation Guide
Hardware Installation Guide74 pages
Preview: Software Guide
Software Guide37 pages
Preview: Easy Setup Guide
Easy Setup Guide11 pages

Related product manuals