Traffic for CX

Collin Clark · ‎01-17-2014

I thought I would post my configuration for sending traffic to the CX from the ASA CLI. In talking with TAC there are two schools of thought here; create a deny ACL blocking what you do not want filtered and then put a permit at the end or create a permit ACL with what you want filtered then a deny to prevent all other traffic from being sent to the CX. The latter makes more sense to me so that is the route I go.

First I create an object group with the internal networks. In this example I'll be sending all private address spaces (per RFC1918) to CX.

object-group network RFC1918

description RFC1918 Private IPv4 Address Space

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

Now for the ACL. I'll be sending any traffic that has an RFC1918 source address destined to anywhere on TCP port 80 or 443 to the CX.

access-list ACL-CX-FILTER extended permit tcp object-group RFC1918 any eq www

access-list ACL-CX-FILTER extended permit tcp object-group RFC1918 any eq https

Next we create the Class Map that we will be putting in the Policy Map. We tell the Class Map to look at the ACL we just created.

class-map CM-CX-FILTER

match access-list ACL-CX-FILTER

Finally we add the Class Map to the Policy Map.

policy-map global_policy

...

class CM-CX-FILTER

cxsc fail-open auth-proxy

You can also do this in PRSM, but I found that it creates a somewhat-goofy naming scheme so I prefer to do it myself. Hope it helps.