If you come across a case wherein the cu want to configure wccp in "fail close" mode, that is, if the wccp fails, the users should not be able to access anything on port 80, we can achieve it using the following. As per the WCCP configuration, the traffic will be first subjected to access-lists inbound on the interface. Then, if the WCCP server fails to service the request, the traffic will be subject to all other security checks on the ASA. Initial thoughts are that the traffic will be full-proxied by the WCCP server. Therefore, if we permit 80/443 traffic inbound on the inside interface, but allow only outbound on the outside interface from the WCCP server only, then this may serve the customer's application.
We can try the following to achieve the same:
1.) On the inside interface, be sure to permit all traffic for port 80 and 443 to be permitted outbound.
access-list inside_access_outbound extended permit tcp any any eq 80
access-list inside_access_outbound extended permit tcp any any eq 443
access-group inside_access_outbound in interface inside
2.) Lets say that the WCCP server used in customer's environment has the ip of 10.107.1.4. We need to allow ONLY it out to the internet.
Create a one to one static as follows:
static (inside,outside) A 10.107.1.4
access-list outside_access_outbound extended permit tcp host A any eq 80
access-list outside_access_outbound extended permit tcp host A any eq 443
access-list outside_access_outbound extended deny tcp any any eq 80
access-list outside_access_outbound extended deny tcp any any eq 443
access-list outside_access_outbound extended permit ip any any
access-group outside_access_outbound out interface outside
The last line will be the catch all that will allow other applications to exit customer's network.
Hola, espero me puedan apoyar con mi siguiente caso:Tengo configurado un firewalll fortinet, donde conecto 2 ISP de diferente proveedor, y en mi router 2900 hago que todo el trafico salga por la interfaz Gi0/1 ISP1.Agregué otro ISP a la interfaz Gi0/2 ISP...
I need to setup 5525-X with FireSight 750 from the scratch. (complete wipe out and rebuild) What is the stable version for the following1) ASA IOS =2) ASA ASDM = 3) SFR Boot Image = 4) SFR Package = 5) FireSight 750 Boot Image = &...
hello everyone, who can help me ? Products used :anyconnect version 126.96.36.199ISE VERSION 2.4Complaince module Windows 4.3.642.6144Description problem: 5238 Endpoint authentication problem was fixed before the posture and anyconnect configu...
Let's say you have a ASA firewall in between two end points (say another firewall and router) where a IPSEC tunnel is built on - basically you have an ASA that must pass IPSEC traffic.The ASA firewall must pass isakmp and esp services and just the subnet ...