cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
877
Views
10
Helpful
1
Replies
Doug Charboneau
Beginner

Cloud Web Security via ISR Connector - whitelisting internal websites

I am attempting to impliment Cisco's websecurity and the rep helping is of little help. I am fine in getting the web security setup. Websites that match security rules get blocked and so on. Script run to impliment is below.

 

scansafe general-options
server primary fqdn proxyXXXXXXXXXXXXX
server backup fqdn proxyXXXXXXXXXXXXX

retry-count 5
license XXXXXXXXXXXXXXXXXXXXXXXXXXXXX


policy-map type inspect scansafe http-pmap
parameters
http

policy-map type inspect scansafe https-pmap
parameters
https


access-list web extended permit tcp any any eq www

access-list https extended permit tcp any any eq https

class-map cmap-http
match access-list web

class-map cmap-https
match access-list https

policy-map pmap-webtraffic
class cmap-http
inspect scansafe http-pmap fail-close
class cmap-https
inspect scansafe https-pmap fail-close

service-policy pmap-webtraffic interface inside

                   

 

So the problem comes when I try to bypass the scansafe for our internal websites. The script below provided by Cisco does not work. Any assistance with where I am going wrong would be appreciated.

 

object network internalsite
fqdn mysite.mydomain.com

 

object network internalsite1
fqdn mysite1.mydomain.com

 

object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1

 

no access-list web line 1 extended deny tcp any4 object-group Website_whitelist eq www
no access-list https line 1 extended deny tcp any4 object-group Website_whitelist eq https

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
 match access-list http_traffic_whitelist
 match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
  parameters
   http
  class whitelist1
   whitelist

 policy-map type inspect scansafe https-pmap
  parameters
  https
 class whitelist1
  whitelist

View solution in original post

1 REPLY 1

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
 match access-list http_traffic_whitelist
 match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
  parameters
   http
  class whitelist1
   whitelist

 policy-map type inspect scansafe https-pmap
  parameters
  https
 class whitelist1
  whitelist

View solution in original post

Content for Community-Ad