If you come across a case wherein the cu want to configure wccp in "fail close" mode, that is, if the wccp fails, the users should not be able to access anything on port 80, we can achieve it using the following. As per the WCCP configuration, the traffic will be first subjected to access-lists inbound on the interface. Then, if the WCCP server fails to service the request, the traffic will be subject to all other security checks on the ASA. Initial thoughts are that the traffic will be full-proxied by the WCCP server. Therefore, if we permit 80/443 traffic inbound on the inside interface, but allow only outbound on the outside interface from the WCCP server only, then this may serve the customer's application.
We can try the following to achieve the same:
1.) On the inside interface, be sure to permit all traffic for port 80 and 443 to be permitted outbound.
access-list inside_access_outbound extended permit tcp any any eq 80
access-list inside_access_outbound extended permit tcp any any eq 443
access-group inside_access_outbound in interface inside
2.) Lets say that the WCCP server used in customer's environment has the ip of 10.107.1.4. We need to allow ONLY it out to the internet.
Create a one to one static as follows:
static (inside,outside) A 10.107.1.4
access-list outside_access_outbound extended permit tcp host A any eq 80
access-list outside_access_outbound extended permit tcp host A any eq 443
access-list outside_access_outbound extended deny tcp any any eq 80
access-list outside_access_outbound extended deny tcp any any eq 443
access-list outside_access_outbound extended permit ip any any
access-group outside_access_outbound out interface outside
The last line will be the catch all that will allow other applications to exit customer's network.
Hi Experts,I am testing one use case of PEAP-only, my setup is like below:VM machine--->trunk port--->Switch---->ISEAlthough, i know the port should be access for EAPOL traffic to reach to radius server through switch.but here on trunk port it ta...
Hello all, hopefully you can give me a helping hand. Right now I´m looking for a firewall which provides the following features:- min. 5 network ports (5x IP address) - (copper)- 1x IPSec VPN (Lan-to-LAN)- NAT- ACL- DHCP server- 2 optic network inter...
Hi Everybody,Our Customer installed ISE 2.4, Domain Controller (AD) integrated with ISE, all the Users uses Windows 10 OS.The Domain Controller Team created a policy that allow the Active Directory Users changes it's own password before Login.This policy ...