Redirecting only interested traffic to CX (coming from outside)

Nauman Rahim · ‎06-13-2015

I have 5515 CX FW. I want:

- To redirect all internet traffic coming from outside into the inside network via CXSC.

- No CX inspection for oracle traffic (88.x.x.x) both ways.

interface outside is my internet (94.x.x.x)

I did following:

object network obj-10.0.0.0
subnet 10.0.0.0 255.255.0.0 ! This is my inside network
nat (inside,outside) dynamic interface

access-list internet extended deny object obj-10.0.0.0 host 88.x.x.x
access-list internet extended permit object obj-10.0.0.0 any

class-map CX_Inspection
match access-list internet
policy-map policy_CX_Inspection
class CX_Inspection
cxsc fail-open

service-policy policy_CX_Inspection interface outside

1- Will this solve my purpose ? I want to make sure that only internet traffic goes through CXSC module when coming into our network from outside.

2- Also my understanding is that when a host access a certain website, ASA will maintain a session. So the traffic will be inspected while leaving the outside interface towards internet (which I dont want) or it will be inspected when traffic enters into FW from internet ? or as the service policy act bidirectional if applied on interface, then traffic will be inspected both ways ?

Thanks,
NR

Vibhor Amrodia · ‎06-13-2015

Hi,

1) In the ACL , you would have to add an ACE for the traffic initiated from the Outside internet to the internal LAN.

access-list internet extended deny object host 88.x.x.x any

2) The policy on the interface is applied on the for the traffic inbound and outbound for that interface.

Policy which is applied globally , is only applied for inbound for all the interface on the ASA device.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/mpf_service_policy.html

Thanks and Regards,

Vibhor Amrodia