To be able to configure an ISR for content-scan so HTTP and HTTPS requests will be sent out to the scansafe towers and depending on the response received, users will either be allowed or denied loading the sites.
ISR should be running a minimum code version 15.2(1)T1 or above.
Available in IOS (universal) images with security feature set (SEC) license.
800, 1900, 2900 and 3900 series ISRs
Platforms NOT Supported:
G1's 18xx, 28xx, 38xx
The maximum number of sessions that can be handled is 32K, irrespective of platform.
Step by Step:
Configure the parameter-map (required):
parameter-map type content-scan global
server scansafe primary ipv4 22.214.171.124 port http 8080 https 8080
server scansafe secondary ipv4 126.96.36.199 port http 8080 https 8080 license 0 <license key> user-group ciscogroup username ciscouser source interface g0/0
The license key here is actually called an authentication key that you get for your site (one per company) from scan safe. Depending on the geographical location of the sites, scansafe provides the tower IP addresses. One is the primary and the other is the secondary tower. When one goes down the other one automatically takes over.
In this case the router when proxying the HTTP and HTTPS requests to scansafe towers, it will use the g0/0 interface IP for the source of those packets.
If the router has multiple internet facing interfaces or route tracking enabled, either of the interfaces may be the active interface. In that case, it is may be a good idea to source the traffic from a loopback interface or from the inside interface for which either this router or another device should provide translation if the ip address used is an RFC 1918 address space.
User-group is optional. Based on the policies setup on the tower, end users will be filtered and scanned for content.
Apply content-scan to the egress interface (required):
interface g0/2 content-scan out
One could use ACL, parameter-map type regex for whitelisting purpose
parameter-map type regex allowed-pattern pattern cisco pattern aol
You can exempt traffic from this internal subnet from being sent out to the towers. These IPs can browse freely without any restrictions.
ip access-list extended inside-nw permit ip 192.168.10.0 0.0.0.255 anycontent-scan whitelisting
whitelist header host regex allowed-pattern whitelist acl inside-nw
Hello, I'm looking for help in creating an ipsec between a dlink dwr-925 and a cisco ASA. On the dlink I've had to tick the box to set the IKE and IPSEC proposal as it kept sending the wrong DH group no matter what i had configured on the dlink....
Resurrecting previous unanswered question in a more appropriate forum: I need to force anyconnect client due to security reasons as it denies local LAN Access, enables firewall rules, inserts routing table entries, and forces DNS by default, where op...
I am the Network On the left hand side(FW1 and R1), and FW1 Outside IP is a nat from R1(so I need to enable NAT-T on FW1 for that).I can reach behind the FW3 as long as it does not nat the IP that I am trying to reach, due to the IP limitations to many ve...
Dear Members, I am new to ASA Firewall. I want to add remote Networks for an existing tunnel, but i have no idea how to go to the config of the existing tunnel from the command line, as there are multiple tunnels configured.. Kaleem
Mac(Catalina)のおよそ100台の端末に対してAnyConnect4.9.05042をWeb展開したところ、一部端末でエラー「Failed to load preferences」表示で接続できない事象が発生しました。Profileのxmlファイルに対する権限がなくなっていたことが原因で、権限付与したところ接続できるようになったのですが、今後のトラブル回避のために、原因と対策に関する情報がありましたらご教示ください。