Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
5
Helpful
3
Replies

Anyconnect users websecurity using Cisco WSA

rasri8@inter-ikea.com
Level 1
Level 1

‎04-14-2018 08:05 AM - edited ‎03-12-2019 05:12 AM

we are planning to provide Websecurity to Anyconnect users using Cisco-WSA.
Could you tell us which is the better way?


I'm assuming we can advertise default route to anyconnect users and give following command
"ip route inside 0.0.0.0 0.0.0.0 <Coreswitch_IP> tunneled"

So Once the traffic hits the inside core switch the traffic will take a U-turn, will head back to internet and will be caught by the WCCP running on the inside interface of the ASA.

 

is there any other option to try with?

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎04-14-2018 08:31 AM

Hi,

What you have suggested seems fine by me, other than that you could of course explicitly configure the proxy in the users' web browser.

0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to Rob Ingram

‎04-14-2018 08:41 AM

Thanks for your reply.
But we recently migrated to transparent proxy from explicit.
So I think we cannot use proxy in IE settings again.

One question- using
#Route inside 0 0 tunneled
Is it going to send only anyconnect traffic to inside or other vpn traffic like site2site or GRE etc..?
0 Helpful

Rob Ingram
VIP
VIP
In response to rasri8@inter-ikea.com

‎04-14-2018 08:47 AM

Yes, only traffic originating from an AnyConnect connection should use that configured static route with the tunneled keyword appended.

 

For reference:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

 

HTH

Customers Also Viewed These Support Documents