Cisco ASA Series Configuration Manual page 147
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 8
ASA and Cisco Cloud Web Security
hostname(config-object-network)# fqdn tools.cisco.com
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object cisco1 eq 80
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object cisco2 eq 80
hostname(config)# access-list SCANSAFE_HTTP extended permit tcp any4 any4 eq 80
Create a traffic class for each ACL you defined.
b.
hostname(config)# class-map class_name
hostname(config-cmap)# match access-list acl_name
Example
hostname(config)# class-map cws_class1
hostname(config-cmap)# match access-list SCANSAFE_HTTP
hostname(config)# class-map cws_class2
hostname(config-cmap)# match access-list SCANSAFE_HTTPS
Create or edit the policy map to redirect the traffic to Cloud Web Security.
Step 3
Add or edit a policy map that sets the actions to take with the class map traffic. In the default
a.
configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit
the global_policy, enter global_policy as the policy name. You can only apply one policy to each
interface or globally.
policy-map name
Example:
hostname(config)# policy-map global_policy
Identify one of the traffic class maps you created for Cloud Web Security inspection.
b.
class name
Example:
hostname(config-pmap)# class cws_class1
Configure ScanSafe inspection for the class.
c.
inspect scansafe scansafe_policy_map [fail-open | fail-close]
Where:
•
•
•
Example:
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap1 fail-open
Note
scansafe_policy_map is the ScanSafe inspection policy map. Ensure that you match the
protocols in the class and policy maps (both HTTP or HTTPS).
Specify fail-open to allow traffic to pass through the ASA if the Cloud Web Security servers
are unavailable.
Specify fail-close to drop all traffic if the Cloud Web Security servers are unavailable. fail-close
is the default.
If you are editing the default global policy (or any in-use policy) to use a different ScanSafe
inspection policy map, you must remove the ScanSafe inspection with the no inspect
scansafe command, and then re-add it with the new inspection policy map name.
Configure Cisco Cloud Web Security
Cisco ASA Series Firewall CLI Configuration Guide
8-11
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
