Send http traffic thru CX on ASA5512

burleyman · ‎11-26-2014

Need to create access lists for the match statement in the class-map global-class
to not allow http inspection for VPN users and for the Site 2 Site locations going to the internal
subnets but all traffic going from the Internal subnets to the internet and from the VPN users
and site 2 site subnets going only to the internet should be directed thru the CX.

VPN users get IP addresses in the subnet 10.200.200.0/24

object network AnyConnect_Pool
subnet 10.200.200.0 255.255.255.0

Site to Site locations IP subnets are

object-group network VPN_SITES
network-object 192.168.70.0 255.255.255.0
network-object 192.168.71.0 255.255.255.0
network-object 192.168.72.0 255.255.255.0
network-object 192.168.73.0 255.255.255.0
network-object 192.168.74.0 255.255.255.0
network-object 192.168.75.0 255.255.255.0

Internal subnets

object-group network REMOTE-SITES
network-object 10.40.0.0 255.255.0.0
network-object 192.168.2.0 255.255.255.0

object-group network MAIN-SITE
network-object 10.10.0.0 255.255.255.0
network-object 10.20.0.0 255.255.255.0

access-list VPN_to_INTERNAL extended deny object VPN_SITES object MAIN-SITE
access-list VPN_to_INTERNAL extended deny object AnyConnect_Pool object MAIN-SITE

access-list CX_to_INTERNET extended permit any any

class-map global-class
match VPN_to_INTERNAL
match CX_to_INTERNET

policy-map global_policy
class global-class
cxsc fail-open

class class-default
cxsc fail-open auth-proxy

or would this be correct.......................

access-list TRAFFIC_to_CX extended deny object VPN_SITES object MAIN-SITE
access-list TRAFFIC_to_CX extended deny object AnyConnect_Pool object MAIN-SITE
access-list TRAFFIC_to_CX extended permit any any

class-map global-class
match TRAFFIC_to_CX

policy-map global_policy
class global-class
cxsc fail-open

class class-default
cxsc fail-open auth-proxy

Thanks,

Mike

Srinath R · ‎11-27-2014

Hi Mike,

The second method where deny statements are applied to TRAFFIC_to_CX extended ACL is the right way:

access-list TRAFFIC_to_CX extended deny object VPN_SITES object MAIN-SITE
access-list TRAFFIC_to_CX extended deny object AnyConnect_Pool object MAIN-SITE
access-list TRAFFIC_to_CX extended permit any any

Since you are applying this on global level, you might also want to create reverse ACLs if traffic is expected to be initiated from the other side:

access-list TRAFFIC_to_CX extended deny object MAIN-SITE object VPN_SITES

access-list TRAFFIC_to_CX extended deny object MAIN-SITE object AnyConnect_Pool

If you don't apply this for reverse direction, traffic 'initiated' (not reply/return traffic) from main-site to vpn-sites may still be redirected to CX.

Another thing; you don't need to apply 'cx fail-open' to the class-default as the last ACL line is 'ip any any' and this will encompass everything.

Edit: I forgot to add that the REMOTE-SITE object has not been used in the ACL. Might want to add that as well.

Regards,

Srinath

burleyman · ‎12-01-2014

The above does not work, it won't even enter into the ASA.

Here is again what I want to accomplish.

I have VPN users and sites that VPN into the ASA and then go to the main site.

I need to set it up so HTTP traffic coming from the VPN users (AnyConnect_Pool) going to the MAIN-SITE does not pass through the CX.

Also I need to set it up so HTTP traffic coming from the Site to Site VPN (VPN_SITES) going to the MAIN-SITE does not pass through the CX.

Forget the REMOTE_SITES, putting that in was my mistake.

Please show me how you would do this.

Mike

burleyman · ‎12-01-2014

I re-crafted the config....please check this and let me know if it looks like it will work.

object network MAIN-SITE-HTTP
subnet 10.10.0.0 255.255.255.0

object network AnyConnect_Pool
subnet 10.200.200.0 255.255.255.0

object-group network SITE_2_SITE_VPN
network-object 192.168.2.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
network-object 192.168.71.0 255.255.255.0
network-object 192.168.72.0 255.255.255.0
network-object 192.168.73.0 255.255.255.0
network-object 192.168.74.0 255.255.255.0
network-object 192.168.75.0 255.255.255.0
network-object 192.168.76.0 255.255.255.0
network-object 192.168.77.0 255.255.255.0
network-object 192.168.78.0 255.255.255.0
network-object 192.168.79.0 255.255.255.0
network-object 192.168.80.0 255.255.255.0
network-object 192.168.81.0 255.255.255.0
network-object 192.168.82.0 255.255.255.0
network-object 192.168.83.0 255.255.255.0
network-object 192.168.84.0 255.255.255.0
network-object 192.168.85.0 255.255.255.0
network-object 192.168.86.0 255.255.255.0
network-object 192.168.87.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
network-object 192.168.89.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
network-object 192.168.94.0 255.255.255.0
network-object 192.168.95.0 255.255.255.0
network-object 192.168.97.0 255.255.255.0
network-object 192.168.98.0 255.255.255.0
network-object 192.168.99.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0

object service CX_HTTP_80
service tcp source eq www

access-list TRAFFIC_to_CX extended deny object CX_HTTP_80 object-group SITE_2_SITE_VPN object MAIN-SITE-HTTP
access-list TRAFFIC_to_CX extended deny object CX_HTTP_80 object AnyConnect_Pool object MAIN-SITE-HTTP
access-list TRAFFIC_to_CX extended permit object CX_HTTP_80 any any

class-map CX_bypass
   match access-list TRAFFIC_to_CX

policy-map global_policy
   class CX_bypass
      cxsc fail-open auth-proxy