Solved: Hi,Did you try to create a

Doug Charboneau · ‎10-14-2013

I am attempting to impliment Cisco's websecurity and the rep helping is of little help. I am fine in getting the web security setup. Websites that match security rules get blocked and so on. Script run to impliment is below.

scansafe general-options
server primary fqdn proxyXXXXXXXXXXXXX
server backup fqdn proxyXXXXXXXXXXXXX

retry-count 5
license XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

policy-map type inspect scansafe http-pmap
parameters
http

policy-map type inspect scansafe https-pmap
parameters
https

access-list web extended permit tcp any any eq www

access-list https extended permit tcp any any eq https

class-map cmap-http
match access-list web

class-map cmap-https
match access-list https

policy-map pmap-webtraffic
class cmap-http
inspect scansafe http-pmap fail-close
class cmap-https
inspect scansafe https-pmap fail-close

service-policy pmap-webtraffic interface inside

So the problem comes when I try to bypass the scansafe for our internal websites. The script below provided by Cisco does not work. Any assistance with where I am going wrong would be appreciated.

object network internalsite
fqdn mysite.mydomain.com

object network internalsite1
fqdn mysite1.mydomain.com

object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1

no access-list web line 1 extended deny tcp any4 object-group Website_whitelist eq www
no access-list https line 1 extended deny tcp any4 object-group Website_whitelist eq https

Ruggero Delcuratolo · ‎05-09-2014

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
match access-list http_traffic_whitelist
match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
parameters
http
class whitelist1
whitelist
!
policy-map type inspect scansafe https-pmap
parameters
https
class whitelist1
whitelist

View solution in original post

Ruggero Delcuratolo · ‎05-09-2014

Hi,

Did you try to create a whitelist class-map and use whitelist command under the Scansafe Policy-map?

Here you go:

object network internalsite
fqdn mysite.mydomain.com
!
object network internalsite1
fqdn mysite1.mydomain.com
!
object-group network Website_whitelist
network-object object internalsite
network-object object internalsite1
!
access-list http_traffic_whitelist extended permit tcp any object-group Website_whitelist eq www
access-list https_traffic_whitelist extended permit tcp any object-group Website_whitelist eq https

class-map type inspect scansafe match-any whitelist1
match access-list http_traffic_whitelist
match access-list https_traffic_whitelist
!
policy-map type inspect scansafe http-pmap
parameters
http
class whitelist1
whitelist
!
policy-map type inspect scansafe https-pmap
parameters
https
class whitelist1
whitelist

Cloud Web Security via ISR Connector - whitelisting internal websites