EasyManuals Logo

Cisco ASA Series Configuration Guide

Cisco ASA Series
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #147 background imageLoading...
Page #147 background image
8-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Configure Cisco Cloud Web Security
hostname(config-object-network)# fqdn tools.cisco.com
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object cisco1 eq 80
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object cisco2 eq 80
hostname(config)# access-list SCANSAFE_HTTP extended permit tcp any4 any4 eq 80
b. Create a traffic class for each ACL you defined.
hostname(config)# class-map class_name
hostname(config-cmap)# match access-list acl_name
Example
hostname(config)# class-map cws_class1
hostname(config-cmap)# match access-list SCANSAFE_HTTP
hostname(config)# class-map cws_class2
hostname(config-cmap)# match access-list SCANSAFE_HTTPS
Step 3 Create or edit the policy map to redirect the traffic to Cloud Web Security.
a. Add or edit a policy map that sets the actions to take with the class map traffic. In the default
configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit
the global_policy, enter global_policy as the policy name. You can only apply one policy to each
interface or globally.
policy-map name
Example:
hostname(config)# policy-map global_policy
b. Identify one of the traffic class maps you created for Cloud Web Security inspection.
class name
Example:
hostname(config-pmap)# class cws_class1
c. Configure ScanSafe inspection for the class.
inspect scansafe scansafe_policy_map [fail-open | fail-close]
Where:
• scansafe_policy_map is the ScanSafe inspection policy map. Ensure that you match the
protocols in the class and policy maps (both HTTP or HTTPS).
• Specify fail-open to allow traffic to pass through the ASA if the Cloud Web Security servers
are unavailable.
• Specify fail-close to drop all traffic if the Cloud Web Security servers are unavailable. fail-close
is the default.
Example:
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap1 fail-open
Note If you are editing the default global policy (or any in-use policy) to use a different ScanSafe
inspection policy map, you must remove the ScanSafe inspection with the no inspect
scansafe command, and then re-add it with the new inspection policy map name.

Table of Contents

Other manuals for Cisco ASA Series

Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Mount And Connect
Mount And Connect12 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
ModelASA 5505
InterfacesVaries by model (Fast Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet, etc.)
High AvailabilityActive/Standby or Active/Active (varies by model)
Power SupplyVaries by model
Form FactorVaries by model
Operating SystemCisco ASA Software
IPsec VPNSupported
SSL VPNSupported
IPS ThroughputVaries by model

Related product manuals