I am currently implementing a WSA in a Cisco ASA environment. For all internal devices I use WCCP (the WSA is on inside from the firewall perspective).
However, in the environment there is also a guest network terminating on a DMZ of the firewall. Because of the limitiations in ASA I cant use WCCP for this traffic.
Which is the recommended approach to "proxify" the guest users internet traffic? If possible I want to avoid proxy settings in the devices since this is a network with unknown device types. Also, I want to avoid proxy auto-discovery for the same reason.
Yes, there is a VM infrastructure. However, I don´t really like the idea with one more WSA-instance with its own configuration to manage just for the guest network.
How is this solved in other environments? Is proxy auto-discovery for guest (unmanaged devices) a recommended approach? Is there a way to make this totally transparent for the guest users even though they resides on a DMZ and the WSA is on the inside?
One option is to seperate a guest network by using a seperate subnet rather internally rather then have the guests on the DMZ. Then you may setup an identity based on that subnet. Once you have that identity setup add it to a access policy and define which categories you would like to block, monitor or allow. Remeber when you allow a category the WSA will not use its scanning engines for example, WBRS Web Reputation Score, Webroot or Anti Virus. This will allow you to seprately control the guest network through the WSA. This is the most common setup which I see often.
Erik Kaiser WSA CSE WSA Cisco Forums Moderator
WSA Cisco Forums Moderator
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 18.104.22.168Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 22.214.171.124R1(config-ikev2-keyring-pee...