06-26-2014 08:19 AM - edited 03-08-2019 06:55 PM
This document describes how to use Cisco Adaptice Security Appliance (ASA) with Context Aware (CX) module, also termed as Next Generation firewall, and Cisco Cloud Web Security (CWS) Connector.
Components Used / Scope
This example shows the following areas of technology and products:
Use Case
ASA CX module has the capability to support both Content Security and Intrution Prevention requirement depending on the license features enabled on ASA-CX. Cloud Web Security is not supported with the ASA CX module. If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic flow, the ASA only performs the ASA CX action. In order to leverage the CWS features for Web Security, we need to ensure the traffic is bypassed in the match statement for ASA CX. Typically, in such a scenario, customers will use CWS for Web Security and AVC (port 80 and 443) and CX module for all other ports.
Pre-requisites
Key Understanding
Network Diagram
Traffic Flow for ASA & CWS
Traffic Flow for ASA & CX
Configuration
!ASA CWS HTTP Match access-list cws-www extended deny ip any4 10.0.0.0 255.0.0.0 access-list cws-www extended deny ip any4 172.16.0.0 255.240.0.0 access-list cws-www extended deny ip any4 192.168.0.0 255.255.0.0 access-list cws-www extended permit tcp any4 any4 eq www
!ASA CWS HTTPS Match access-list cws-https extended deny ip any4 10.0.0.0 255.0.0.0 access-list cws-https extended deny ip any4 172.16.0.0 255.240.0.0 access-list cws-https extended deny ip any4 192.168.0.0 255.255.0.0 access-list cws-https extended permit tcp any4 any4 eq https
!ASA CX Match access-list asa-cx extended permit tcp any4 10.0.0.0 255.0.0.0 eq 80 access-list asa-cx extended permit tcp any4 172.16.0.0 255.240.0.0 eq 80 access-list asa-cx extended permit tcp any4 192.168.0.0 255.255.0.0 eq 80 access-list asa-cx extended deny tcp any4 any4 eq www access-list asa-cx extended permit tcp any4 10.0.0.0 255.0.0.0 eq 443 access-list asa-cx extended permit tcp any4 172.16.0.0 255.240.0.0 eq 443 access-list asa-cx extended permit tcp any4 192.168.0.0 255.255.0.0 eq 443 access-list asa-cx extended deny tcp any4 any4 eq https access-list asa-cx extended permit ip any4 any4
! Match HTTPS traffic for CWS class-map cmap-https match access-list cws-https ! Match HTTP traffic for CWS class-map cmap-http match access-list cws-www ! Match traffic for ASA CX class-map cmap-ngfw-cx match access-list asa-cx
!Inspection policy map to configure essential parameters for the rules and optionally !identify the whitelist for HTTP traffic policy-map type inspect scansafe http-pmap parameters default group cws_default http !Inspection policy map to configure essential parameters for the rules and optionally !identify the whitelist for HTTPS traffic policy-map type inspect scansafe https-pmap parameters default group cws_default https ! Interface policy local to Inside Interface policy-map cws_policy class cmap-http inspect scansafe http-pmap fail-open class cmap-https inspect scansafe https-pmap fail-open ! Global Policy with Inspection enabled using ASA CX policy-map global_policy class inspection_default <SNIP> class cmap-ngfw-cx cxsc fail-open class class-default user-statistics accounting
service-policy global_policy global service-policy cws_policy inside
[Note: In this example, we have assumed web traffic to originate only from inside security zone. We can use interface policies on all interfaces where we expect web traffic or use the same classes within the global policy. This is just to demonstrate the functioning of CWS and use of MPF to support our requirement]
scansafe general-options server primary ip x1.x1.x1.x1 port 8080 server backup ip x2.x2.x2.x2 port 8080 retry-count 5 license xxxxxxxxxxxx/ encrypted !
To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. See the clear conn or clear local-host commands.
Verify
csaxena-cws-asa# sho scansafe statistics Current HTTP sessions : 0 Current HTTPS sessions : 0 Total HTTP Sessions : 1091 Total HTTPS Sessions : 5893 Total Fail HTTP sessions : 0 Total Fail HTTPS sessions : 0 Total Bytes In : 473598 Bytes Total Bytes Out : 1995470 Bytes HTTP session Connect Latency in ms(min/max/avg) : 10/23/11 HTTPS session Connect Latency in ms(min/max/avg) : 10/190/11
csaxena-cws-asa# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default <SNIP> <SNIP> Class-map: cmap-ngfw-cx CXSC: card status Up, mode fail-open, auth-proxy disabled packet input 275786624, packet output 272207060, drop 0, reset-drop 36, proxied 0 Class-map: class-default Default Queueing Packet recieved 150146, sent 156937, attack 2031 Interface inside: Service-policy: cws_policy Class-map: cmap-http Inspect: scansafe http-pmap fail-open, packet 176, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0 Class-map: cmap-https Inspect: scansafe https-pmap fail-open, packet 78, lock fail 0, drop 13, reset-drop 0, v6-fail-close 0
Troubleshoot
In order to troubleshoot any issues related to the above configuration and to understand the packet flow :
csaxena-cws-asa(config)# packet-tracer input inside tcp 10.0.0.1 80 1.1.1.1 80 det Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: <SNIP> <This phase will show up if you are capturing same traffic as well> Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in <SNIP> Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 via x.x.x.1, outside <Confirms egress interface selected. We need to ensure we have CWS connectivity via the same interface> Phase: 4 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 10.0.0.0 255.255.254.0 via 10.0.0.0.1, inside Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_in in interface inside access-list inside_in extended permit ip any any Additional Information: <SNIP> Phase: 6 Type: NAT Subtype: Result: ALLOW Config: object network obj-inside_to_outside nat (inside,outside) dynamic interface Additional Information: Dynamic translate 10.0.0.1/80 to x.x.x.1/80 Forward Flow based lookup yields rule: in <SNIP> Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in <SNIP> Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in <SNIP> Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map cmap-http match access-list cws-www policy-map inside_policy class cmap-http inspect scansafe http-pmap fail-open service-policy inside_policy interface inside Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2cd3fce0, priority=72, domain=inspect-scansafe, deny=false hits=8, user_data=0x7fff2bb86ab0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=10.0.0.11, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any <Verify the configuration, port, domain, deny fields> Phase: 10 Type: CXSC Subtype: Result: ALLOW Config: class-map ngfw-cx match access-list asa-cx policy-map global_policy class ngfw-cx cxsc fail-open service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2c530970, priority=71, domain=cxsc, deny=true hits=5868, user_data=0x7fff2c931380, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 11 Type: Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out <SNIP> Phase: 12 Type: Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out <SNIP> Phase: 13 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out <SNIP> <In this example, IDFW is not configured> Phase: 14 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in <SNIP> Phase: 15 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in <SNIP> Phase: 16 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out <SNIP> Phase: 17 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 3855350, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_inline_tcp_mod snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_inline_tcp_mod snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Related Infomration
Very Helpful document ...Thanks !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: