topic Have you trusted the self in Network Security

ASA 5525 CX module

Aaquib_A1 — Tue, 12 Mar 2019 06:56:00 GMT

We have setup a cisco ASA CX module 9.4 (2) and when we go to block HTTPS traffic for like facebook it blocks it.

i have carried out following steps

1)Directting HTTPS traffic to CX

2)Generating self-sign certificate to intercept https traffic at CX.

3)Then configure decrypt policy to all https traffic.

My problem is that when i do normal http blocking i see the ASA pop-up of block with the category of the URL, whereas for HTTPS i do not see any pop-up it says certificate issue.

i have few questions regarding it

1) Does ASA CX show pop-up for https traffic like it does for http traffic being blocked by it.

2) Can i use root certificate instead of self-sign certificate if yes , how to find the root certificate to import in CX module.

Have you trusted the self

Marvin Rhoads — Mon, 23 Nov 2015 22:17:08 GMT

Have you trusted the self-signed certificate in your client?

You need to either do that or install a trusted enterprise certificate (if you have a local CA that can issue a certificate). In the case of the latter, you would import the server certificate and key for CX by leaving the "Certificate Initialization Method" set to "Import" when you configure the Device Decryption policy.

Yes , i have trusted the self

Aaquib_A1 — Tue, 24 Nov 2015 06:09:18 GMT

Yes , i have trusted the self signed certificate on the client but still i do not see the CX banner notification for https traffic it gives secure connection failed message.

I dont beleieve it sends a

Marvin Rhoads — Wed, 25 Nov 2015 17:39:33 GMT

I dont beleieve it sends a banner for a drop of encypted traffic. it just drops the TCP session, resulting in the browser error you see.

Reference this note:

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3/prsm-ug-cx-decryption.html#concept_CD90D495EA6C477E88073250FBACA83A