I dont beleieve it sends a

Aaquib_A1 · ‎11-23-2015

We have setup a cisco ASA CX module 9.4 (2) and when we go to block HTTPS traffic for like facebook it blocks it.

i have carried out following steps

1)Directting HTTPS traffic to CX

2)Generating self-sign certificate to intercept https traffic at CX.

3)Then configure decrypt policy to all https traffic.

My problem is that when i do normal http blocking i see the ASA pop-up of block with the category of the URL, whereas for HTTPS i do not see any pop-up it says certificate issue.

i have few questions regarding it

1) Does ASA CX show pop-up for https traffic like it does for http traffic being blocked by it.

2) Can i use root certificate instead of self-sign certificate if yes , how to find the root certificate to import in CX module.

Marvin Rhoads · ‎11-23-2015

Have you trusted the self-signed certificate in your client?

You need to either do that or install a trusted enterprise certificate (if you have a local CA that can issue a certificate). In the case of the latter, you would import the server certificate and key for CX by leaving the "Certificate Initialization Method" set to "Import" when you configure the Device Decryption policy.

Aaquib_A1 · ‎11-23-2015

Yes , i have trusted the self signed certificate on the client but still i do not see the CX banner notification for https traffic it gives secure connection failed message.

Marvin Rhoads · ‎11-25-2015

I dont beleieve it sends a banner for a drop of encypted traffic. it just drops the TCP session, resulting in the browser error you see.

Reference this note:

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3/prsm-ug-cx-decryption.html#concept_CD90D495EA6C477E88073250FBACA83A

ASA 5525 CX module