Solved: Traffic to send to CX

Matthew2k4_2 · ‎03-04-2014

Hey Guys, hopefully a quick question. I'm in the process of setting up my first CX module and as of right now, I have all traffic being redirected to the module, form the ASA. Is this a good practice? I've seen other examples where the admin only redirects http and https from the ASA; but I think this will be a problem if users go to a site that uses a non-standard http port, right? Also, if I only send web traffic to CX, I won't be able to see any other application traffic so I'm not sure why other admins are pushing this as a good way to configure CX. What do you guys do in your environments?

Marvin Rhoads · ‎03-05-2014

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.

One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

View solution in original post

Marvin Rhoads · ‎03-05-2014

I've seen it done both ways. You are correct regarding the limitaitons of only sending http and https traffic.

One thing that some customers do is to supplement the CX inspection of the standard ports 80 and 443 used by http and https protocols with a separate policy only allowing the well-known ports outbound (by use of an access-list on the inside interface).

Matthew2k4_2 · ‎03-05-2014

Yes, I think I'll create an ACL to limit the amount of outbound ports to some well known web traffic ports, then apply my CX policy on top of this.

Thanks for confirmnig