cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2032
Views
0
Helpful
4
Replies

ASA with Firepower SSL inspection problem for some https website

linlinoo
Level 1
Level 1

Hi,

Now, i am testing ASA firepower SSL inspection with 6.0. I configured CA as FSMC, SSL policy, Access control rules. Then i can go to https://www.google.com, https://www.cisco.com or other https website. But, i am facing the problem with other https site like (gmail, facebook). I can't go to those website. how can do that ? Please help me. I have attached some screenshot. Thanks.

4 Replies 4

Greg Smalley
Level 1
Level 1

Most likely your computer doesn't trust FSMC CA.  Firefox maintains it's own Trusted CA list where as most of the other browsers get their trusted CA list from the OS. Make sure you import the FSMC CA into your trusted certificate store via the Microsoft Certificate snap-in and trusted CA store in Firefox.

Also Chrome will prevent man in the middle certificates to google websites.  If you use chrome you will need to make an exception to not decrypt google websites: google.com, gmail.com, youtube.com.

-Smalley

Hi Greg,

Thanks. I already tried like that. It is OK. But, we can't able to import certificate on every PC or laptop in the live network. Right ? We can have 100 or 1000 users in our network. So, how can i do that to automatically import from Firewall to clients. We would like to also block FB chat, post, comment or others. How can we do that ? I already tried to block chat, post. It is not working on version 6.0.

On a network you would typically use Group Policy to disperse the needed certificate into the Trusted certificate store.  If you are using FireFox you would need to use something like PoilicyPak as FireFox doesn't natively use the Microsoft Cert store.

Thanks again. How about your idea to block FB chat, post or other social messaging app with cisco firepower? Actually, it can not block ?

Review Cisco Networking for a $25 gift card